Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HUSDGHCE23ED.exe

Overview

General Information

Sample name:HUSDGHCE23ED.exe
Analysis ID:1578148
MD5:43d515ce2b62bad63485ed46844f643a
SHA1:54d484d170f54f420d82a475b9e6735cdffa5f85
SHA256:547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd
Tags:exeuser-TeamDreier
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HUSDGHCE23ED.exe (PID: 2168 cmdline: "C:\Users\user\Desktop\HUSDGHCE23ED.exe" MD5: 43D515CE2B62BAD63485ED46844F643A)
    • HUSDGHCE23ED.exe (PID: 5424 cmdline: "C:\Users\user\Desktop\HUSDGHCE23ED.exe" MD5: 43D515CE2B62BAD63485ED46844F643A)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7704742999:AAG0GCBtZYjgQBMY4ELoXFDZtEO_hdGA7UY", "Telegram Chatid": "7245529134"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xefdf:$a1: get_encryptedPassword
        • 0xf307:$a2: get_encryptedUsername
        • 0xed7a:$a3: get_timePasswordChanged
        • 0xee9b:$a4: get_passwordField
        • 0xeff5:$a5: set_encryptedPassword
        • 0x10951:$a7: get_logins
        • 0x10602:$a8: GetOutlookPasswords
        • 0x103f4:$a9: StartKeylogger
        • 0x108a1:$a10: KeyLoggerEventArgs
        • 0x10451:$a11: KeyLoggerEventArgsEventHandler
        00000002.00000002.2729460791.0000000002D5E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xd3df:$a1: get_encryptedPassword
                • 0xd707:$a2: get_encryptedUsername
                • 0xd17a:$a3: get_timePasswordChanged
                • 0xd29b:$a4: get_passwordField
                • 0xd3f5:$a5: set_encryptedPassword
                • 0xed51:$a7: get_logins
                • 0xea02:$a8: GetOutlookPasswords
                • 0xe7f4:$a9: StartKeylogger
                • 0xeca1:$a10: KeyLoggerEventArgs
                • 0xe851:$a11: KeyLoggerEventArgsEventHandler
                0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1238b:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x11889:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x11b97:$a4: \Orbitum\User Data\Default\Login Data
                • 0x1298f:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 25 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-19T10:28:34.565523+010028032742Potentially Bad Traffic192.168.2.949705158.101.44.24280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7704742999:AAG0GCBtZYjgQBMY4ELoXFDZtEO_hdGA7UY", "Telegram Chatid": "7245529134"}
                Multi AV Scanner detection for submitted file
                Source: HUSDGHCE23ED.exeReversingLabs: Detection: 65%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: HUSDGHCE23ED.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49710 version: TLS 1.0
                Source: HUSDGHCE23ED.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: HUSDGHCE23ED.exe, 00000000.00000002.2734013912.00000000059C0000.00000004.08000000.00040000.00000000.sdmp, HUSDGHCE23ED.exe, 00000000.00000002.2729492545.0000000002F21000.00000004.00000800.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 0107A7D8h2_2_0107A3C0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 0107A0B1h2_2_01079E00
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 0107E640h2_2_0107E220
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 0107A7D8h2_2_0107A706
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 0107EA98h2_2_0107E7F0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 0107EEF0h2_2_0107EC48
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 0107F348h2_2_0107F0A0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 0107F7A0h2_2_0107F4F8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 0107FBF8h2_2_0107F950
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063CB718h2_2_063CB470
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063C95ADh2_2_063C9270
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063CAA10h2_2_063CA768
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063C8811h2_2_063C8568
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063CB2C0h2_2_063CB018
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063C83B9h2_2_063C8110
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063C90C1h2_2_063C8E18
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063C7F61h2_2_063C7CB8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063CBFC8h2_2_063CBD20
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063CAE68h2_2_063CABC0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063CBB70h2_2_063CB8C8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 4x nop then jmp 063C8C69h2_2_063C89C0
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.9:49705 -> 158.101.44.242:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.9:49710 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49710

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 2.2.HUSDGHCE23ED.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 2.2.HUSDGHCE23ED.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: HUSDGHCE23ED.exe PID: 2168, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: HUSDGHCE23ED.exe PID: 5424, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 0_2_015CD3040_2_015CD304
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 0_2_055465B00_2_055465B0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 0_2_0554BF600_2_0554BF60
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 0_2_055400400_2_05540040
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 0_2_055400060_2_05540006
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 0_2_0554AD510_2_0554AD51
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 0_2_05B596800_2_05B59680
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_01072DD12_2_01072DD1
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_01079E002_2_01079E00
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107E2202_2_0107E220
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107E7E02_2_0107E7E0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107E7F02_2_0107E7F0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107EC452_2_0107EC45
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107EC482_2_0107EC48
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107F0902_2_0107F090
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107F0A02_2_0107F0A0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107F4E82_2_0107F4E8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107F4F82_2_0107F4F8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107F9412_2_0107F941
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107F9502_2_0107F950
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_01079DEF2_2_01079DEF
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CE6982_2_063CE698
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CB4702_2_063CB470
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C45602_2_063C4560
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C92702_2_063C9270
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CF3F82_2_063CF3F8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C00402_2_063C0040
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CC1782_2_063CC178
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C4BE12_2_063C4BE1
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C98D02_2_063C98D0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C77112_2_063C7711
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CA7682_2_063CA768
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CA7592_2_063CA759
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CB4602_2_063CB460
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C85682_2_063C8568
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C85652_2_063C8565
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C92622_2_063C9262
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C43402_2_063C4340
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C001E2_2_063C001E
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CB0182_2_063CB018
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CB0092_2_063CB009
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C81102_2_063C8110
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C81002_2_063C8100
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C8E182_2_063C8E18
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C8E082_2_063C8E08
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C4C792_2_063C4C79
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C7CB82_2_063C7CB8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C7CA72_2_063C7CA7
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CBD202_2_063CBD20
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CBD102_2_063CBD10
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C3BB82_2_063C3BB8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CABB02_2_063CABB0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C3BA82_2_063C3BA8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CABC02_2_063CABC0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CB8B82_2_063CB8B8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063CB8C82_2_063CB8C8
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C98C52_2_063C98C5
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C89B22_2_063C89B2
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C89C02_2_063C89C0
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2734013912.00000000059C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2733489199.0000000005870000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2727975891.000000000129E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exe, 00000000.00000000.1483342733.0000000000B12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSelda.exe, vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2729492545.0000000002F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAQipUvwTwkLZyiCs.dll: vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2729492545.0000000002F21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameExample.dll0 vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exe, 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2727668161.00000000009B7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2727538704.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exeBinary or memory string: OriginalFilenameSelda.exe, vs HUSDGHCE23ED.exe
                Source: HUSDGHCE23ED.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 2.2.HUSDGHCE23ED.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 2.2.HUSDGHCE23ED.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: HUSDGHCE23ED.exe PID: 2168, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: HUSDGHCE23ED.exe PID: 5424, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.HUSDGHCE23ED.exe.5870000.5.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, DarkListView.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.HUSDGHCE23ED.exe.5870000.5.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
                Source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, DarkComboBox.csBase64 encoded string: 'Uwm+UuKGd614I69RzLI93aXq8M4plP4Fl8XGnAA54HkS/0jMOBsYAdDU3ufQvFFjYZJP0JeYZcnDYanLTNfb9IJuC/u1be1KdJkORevGYuzVlkHzJtU9FNAhjxyJAuY/'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/0@2/2
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeMutant created: NULL
                Source: HUSDGHCE23ED.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: HUSDGHCE23ED.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002D20000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002CFF000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2731061238.0000000003C2D000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: HUSDGHCE23ED.exeReversingLabs: Detection: 65%
                Source: unknownProcess created: C:\Users\user\Desktop\HUSDGHCE23ED.exe "C:\Users\user\Desktop\HUSDGHCE23ED.exe"
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess created: C:\Users\user\Desktop\HUSDGHCE23ED.exe "C:\Users\user\Desktop\HUSDGHCE23ED.exe"
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess created: C:\Users\user\Desktop\HUSDGHCE23ED.exe "C:\Users\user\Desktop\HUSDGHCE23ED.exe"Jump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: textinputframework.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: coreuicomponents.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: coremessaging.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: HUSDGHCE23ED.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: HUSDGHCE23ED.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\GT350\source\repos\UpdatedRunpe\UpdatedRunpe\obj\x86\Debug\AQipUvwTwkLZyiCs.pdb source: HUSDGHCE23ED.exe, 00000000.00000002.2734013912.00000000059C0000.00000004.08000000.00040000.00000000.sdmp, HUSDGHCE23ED.exe, 00000000.00000002.2729492545.0000000002F21000.00000004.00000800.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: HUSDGHCE23ED.exe, --.cs.Net Code: CypherMatic System.Reflection.Assembly.Load(byte[])
                Source: HUSDGHCE23ED.exeStatic PE information: 0xA304A0A8 [Thu Aug 31 23:18:00 2056 UTC]
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 0_2_0554B518 pushfd ; iretd 0_2_0554B521
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 0_2_05B5A152 pushad ; iretd 0_2_05B5A159
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107BF80 push esp; ret 2_2_0107BFED
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_0107BFE0 push esp; ret 2_2_0107BFED
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C376A push es; retf 2_2_063C378C
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C4B36 push es; iretd 2_2_063C4BE0
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C4BB0 push es; iretd 2_2_063C4BE0
                Source: HUSDGHCE23ED.exeStatic PE information: section name: .text entropy: 6.848620491340598
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeMemory allocated: 1580000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeMemory allocated: 2F20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeMemory allocated: 4F20000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeMemory allocated: 1070000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeMemory allocated: 2C00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                Source: HUSDGHCE23ED.exe, 00000002.00000002.2727817199.0000000000D17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeCode function: 2_2_063C4560 LdrInitializeThunk,LdrInitializeThunk,2_2_063C4560
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: HUSDGHCE23ED.exe, -J-.csReference to suspicious API methods: _FFFD_FFFD_05C1_0314.LoadLibraryExW("compstui.dll", IntPtr.Zero, _0609_06E8._07BB_FFFD | _0609_06E8._FFFDm_FFFD_002DW)
                Source: 0.2.HUSDGHCE23ED.exe.59c0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
                Source: 0.2.HUSDGHCE23ED.exe.59c0000.6.raw.unpack, vTOBOpTyAAvQkvZvwvxLfhLDrUkCOfiQETyyQECGGfUQGE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
                Source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeMemory written: C:\Users\user\Desktop\HUSDGHCE23ED.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeProcess created: C:\Users\user\Desktop\HUSDGHCE23ED.exe "C:\Users\user\Desktop\HUSDGHCE23ED.exe"Jump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Users\user\Desktop\HUSDGHCE23ED.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Users\user\Desktop\HUSDGHCE23ED.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.HUSDGHCE23ED.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 2168, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 5424, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.HUSDGHCE23ED.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 2168, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 5424, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\HUSDGHCE23ED.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.HUSDGHCE23ED.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2729460791.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 2168, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 5424, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.HUSDGHCE23ED.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 2168, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 5424, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.HUSDGHCE23ED.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3ff7c40.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3fe0e10.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.HUSDGHCE23ED.exe.3f6e170.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 2168, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUSDGHCE23ED.exe PID: 5424, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		111
                Process Injection                		1
                Virtualization/Sandbox Evasion                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		1
                Input Capture                		1
                Security Software Discovery                		Remote Desktop Protocol1
                Input Capture                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
                Process Injection                		Security Account Manager1
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS1
                Process Discovery                		Distributed Component Object Model1
                Data from Local System                		13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script31
                Obfuscated Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                Software Packing                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Timestomp                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                HUSDGHCE23ED.exe66%ReversingLabsWin32.Trojan.Znyonm

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		172.67.177.134
                		truefalse
                  		high
                  checkip.dyndns.com
                  		158.101.44.242
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        		high
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189lHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://checkip.dyndns.comdHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.org/qHUSDGHCE23ED.exe, 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://reallyfreegeoip.orgdHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://reallyfreegeoip.org/xml/8.46.123.189dHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://reallyfreegeoip.orgHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C9F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://checkip.dyndns.orgdHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://reallyfreegeoip.orgHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.orgHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C72000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.comHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.org/dHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C01000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/bot-/sendDocument?chat_id=HUSDGHCE23ED.exe, 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://reallyfreegeoip.org/xml/HUSDGHCE23ED.exe, 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2729460791.0000000002C7E000.00000004.00000800.00020000.00000000.sdmp, HUSDGHCE23ED.exe, 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      158.101.44.242
                                                      		checkip.dyndns.comUnited States
                                                      		31898ORACLE-BMC-31898USfalse
                                                      172.67.177.134
                                                      		reallyfreegeoip.orgUnited States
                                                      		13335CLOUDFLARENETUSfalse

                                                      General Information

                                                      Joe Sandbox version:41.0.0 Charoite
                                                      Analysis ID:1578148
                                                      Start date and time:2024-12-19 10:27:16 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 6m 14s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:8
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:HUSDGHCE23ED.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/0@2/2
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 100%
                                                      • Number of executed functions: 102
                                                      • Number of non-executed functions: 20
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 23.218.208.109, 172.202.163.200, 52.149.20.212, 13.107.246.63
                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Not all processes where analyzed, report is missing behavior information
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                      • VT rate limit hit for: HUSDGHCE23ED.exe

                                                      Simulations

                                                      Behavior and APIs

                                                      No simulations

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      158.101.44.242_Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • checkip.dyndns.org/
                                                      RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • checkip.dyndns.org/
                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • checkip.dyndns.org/
                                                      Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • checkip.dyndns.org/
                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                      • checkip.dyndns.org/
                                                      PURCHASE ORDER 006-2024 GIA-AV Rev 1_pdf.exeGet hashmaliciousGuLoaderBrowse
                                                      • checkip.dyndns.org/

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      checkip.dyndns.com66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 193.122.130.0
                                                      _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 158.101.44.242
                                                      F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                      • 132.226.8.169
                                                      D.G Governor Istek,Docx.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                      • 132.226.247.73
                                                      0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 132.226.8.169
                                                      Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 132.226.247.73
                                                      PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 193.122.6.168
                                                      RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 158.101.44.242
                                                      Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.6.168
                                                      PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 132.226.8.169
                                                      reallyfreegeoip.org66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 172.67.177.134
                                                      _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.67.152
                                                      0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 104.21.67.152
                                                      Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 104.21.67.152
                                                      PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 104.21.67.152
                                                      RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 172.67.177.134
                                                      Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 172.67.177.134
                                                      PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 172.67.177.134
                                                      ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 172.67.177.134
                                                      87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                      • 104.21.67.152

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      ORACLE-BMC-31898USx86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 150.136.65.7
                                                      sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 193.123.7.187
                                                      66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 193.122.130.0
                                                      la.bot.arm7.elfGet hashmaliciousMiraiBrowse
                                                      • 129.148.164.81
                                                      la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                                      • 132.145.4.150
                                                      _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 158.101.44.242
                                                      PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 158.101.44.242
                                                      RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 158.101.44.242
                                                      x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                      • 192.29.189.21
                                                      Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 193.122.6.168
                                                      CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, VidarBrowse
                                                      • 172.67.179.109
                                                      CROC000400 .pdfGet hashmaliciousUnknownBrowse
                                                      • 162.247.243.29
                                                      contract_signed.pdfGet hashmaliciousUnknownBrowse
                                                      • 104.21.16.1
                                                      https://ipfs.io/ipfs/bafybeih7f27bkklyai5zhnf5s57wuee5khsdrrblepmiz5bozrxxoam2lq/index12.html#pdeneve@vanas.euGet hashmaliciousHTMLPhisherBrowse
                                                      • 104.17.25.14
                                                      iviewers.dllGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                      • 104.26.12.205
                                                      script.ps1Get hashmaliciousCredGrabber, Meduza StealerBrowse
                                                      • 104.26.12.205
                                                      MFQbv2Yuzv.exeGet hashmaliciousLummaC, StealcBrowse
                                                      • 104.21.64.80
                                                      SWIFT COPY.exeGet hashmaliciousFormBookBrowse
                                                      • 104.21.86.111
                                                      Y41xQGmT37.exeGet hashmaliciousLummaC, StealcBrowse
                                                      • 104.21.64.80
                                                      O3u9C8cpzl.exeGet hashmaliciousLummaC, StealcBrowse
                                                      • 104.21.64.80

                                                      JA3 Fingerprints

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      54328bd36c14bd82ddaa0c04b25ed9ad66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 172.67.177.134
                                                      _Company.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 172.67.177.134
                                                      0001.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 172.67.177.134
                                                      Nuevo pedido de cotizaci#U00f3n 663837 4899272.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 172.67.177.134
                                                      PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 172.67.177.134
                                                      RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      • 172.67.177.134
                                                      Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                      • 172.67.177.134
                                                      PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      • 172.67.177.134
                                                      ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                      • 172.67.177.134

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      No created / dropped files found

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):6.842210277030262
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Windows Screen Saver (13104/52) 0.07%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      File name:HUSDGHCE23ED.exe
                                                      File size:959'488 bytes
                                                      MD5:43d515ce2b62bad63485ed46844f643a
                                                      SHA1:54d484d170f54f420d82a475b9e6735cdffa5f85
                                                      SHA256:547f1a4190de76e64b30bbf7af297dd27726fb938027fd19b65db5e6d74e23cd
                                                      SHA512:497469af92b1ebb3f34cf5987cb38789059c342347a73afa6441e63808af7b579c506715e22445ed1ecb47507d9da97401a4b96f6351932371112fb43ab297c8
                                                      SSDEEP:24576:mJVcWy9iv8r2FHqbawOGHtCW8OGSJwnpeWHm:mJVcWy9avOGSEeWH
                                                      TLSH:3D158C1677FC5E1ED2AE477BF4B4081A87F5F902B362EA0D6810B76D0C93B8149513AB
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

                                                      File Icon

                                                      Icon Hash:00928e8e8686b000

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4eb8de
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                      Time Stamp:0xA304A0A8 [Thu Aug 31 23:18:00 2056 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xeb8900x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xec0000x586.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xee0000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xe98e40xe9a001f0d1120f225a0eb56842731261c2c10False0.5024077046548957data6.848620491340598IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xec0000x5860x600b17a6a297e819edcf190895f02b6935dFalse0.4147135416666667data4.02242861256686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xee0000xc0x200a00dcdd8ede12488b6e48ca4e84351cdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_VERSION0xec0a00x2fcdata0.43848167539267013
                                                      RT_MANIFEST0xec39c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-12-19T10:28:34.565523+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.949705158.101.44.24280TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 19, 2024 10:28:29.135600090 CET4970580192.168.2.9158.101.44.242
                                                      Dec 19, 2024 10:28:29.255162954 CET8049705158.101.44.242192.168.2.9
                                                      Dec 19, 2024 10:28:29.255250931 CET4970580192.168.2.9158.101.44.242
                                                      Dec 19, 2024 10:28:29.282262087 CET4970580192.168.2.9158.101.44.242
                                                      Dec 19, 2024 10:28:29.401981115 CET8049705158.101.44.242192.168.2.9
                                                      Dec 19, 2024 10:28:32.459820032 CET8049705158.101.44.242192.168.2.9
                                                      Dec 19, 2024 10:28:32.481225967 CET4970580192.168.2.9158.101.44.242
                                                      Dec 19, 2024 10:28:32.600698948 CET8049705158.101.44.242192.168.2.9
                                                      Dec 19, 2024 10:28:34.511753082 CET8049705158.101.44.242192.168.2.9
                                                      Dec 19, 2024 10:28:34.565522909 CET4970580192.168.2.9158.101.44.242
                                                      Dec 19, 2024 10:28:34.829097986 CET49710443192.168.2.9172.67.177.134
                                                      Dec 19, 2024 10:28:34.829153061 CET44349710172.67.177.134192.168.2.9
                                                      Dec 19, 2024 10:28:34.829217911 CET49710443192.168.2.9172.67.177.134
                                                      Dec 19, 2024 10:28:34.839296103 CET49710443192.168.2.9172.67.177.134
                                                      Dec 19, 2024 10:28:34.839318037 CET44349710172.67.177.134192.168.2.9
                                                      Dec 19, 2024 10:28:36.053741932 CET44349710172.67.177.134192.168.2.9
                                                      Dec 19, 2024 10:28:36.054047108 CET49710443192.168.2.9172.67.177.134
                                                      Dec 19, 2024 10:28:36.059118032 CET49710443192.168.2.9172.67.177.134
                                                      Dec 19, 2024 10:28:36.059125900 CET44349710172.67.177.134192.168.2.9
                                                      Dec 19, 2024 10:28:36.060398102 CET44349710172.67.177.134192.168.2.9
                                                      Dec 19, 2024 10:28:36.112494946 CET49710443192.168.2.9172.67.177.134
                                                      Dec 19, 2024 10:28:36.144057035 CET49710443192.168.2.9172.67.177.134
                                                      Dec 19, 2024 10:28:36.191343069 CET44349710172.67.177.134192.168.2.9
                                                      Dec 19, 2024 10:28:36.489612103 CET44349710172.67.177.134192.168.2.9
                                                      Dec 19, 2024 10:28:36.489713907 CET44349710172.67.177.134192.168.2.9
                                                      Dec 19, 2024 10:28:36.490016937 CET49710443192.168.2.9172.67.177.134
                                                      Dec 19, 2024 10:28:36.496438980 CET49710443192.168.2.9172.67.177.134
                                                      Dec 19, 2024 10:29:39.516609907 CET8049705158.101.44.242192.168.2.9
                                                      Dec 19, 2024 10:29:39.516669989 CET4970580192.168.2.9158.101.44.242
                                                      Dec 19, 2024 10:30:14.519728899 CET4970580192.168.2.9158.101.44.242
                                                      Dec 19, 2024 10:30:14.639226913 CET8049705158.101.44.242192.168.2.9

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 19, 2024 10:28:28.955974102 CET5694053192.168.2.91.1.1.1
                                                      Dec 19, 2024 10:28:29.094106913 CET53569401.1.1.1192.168.2.9
                                                      Dec 19, 2024 10:28:34.514331102 CET4949353192.168.2.91.1.1.1
                                                      Dec 19, 2024 10:28:34.828166962 CET53494931.1.1.1192.168.2.9

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 19, 2024 10:28:28.955974102 CET192.168.2.91.1.1.10x2d50Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                      Dec 19, 2024 10:28:34.514331102 CET192.168.2.91.1.1.10x35f2Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 19, 2024 10:28:29.094106913 CET1.1.1.1192.168.2.90x2d50No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                      Dec 19, 2024 10:28:29.094106913 CET1.1.1.1192.168.2.90x2d50No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                      Dec 19, 2024 10:28:29.094106913 CET1.1.1.1192.168.2.90x2d50No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                      Dec 19, 2024 10:28:29.094106913 CET1.1.1.1192.168.2.90x2d50No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                      Dec 19, 2024 10:28:29.094106913 CET1.1.1.1192.168.2.90x2d50No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                      Dec 19, 2024 10:28:29.094106913 CET1.1.1.1192.168.2.90x2d50No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                      Dec 19, 2024 10:28:34.828166962 CET1.1.1.1192.168.2.90x35f2No error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                      Dec 19, 2024 10:28:34.828166962 CET1.1.1.1192.168.2.90x35f2No error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • reallyfreegeoip.org
                                                      • checkip.dyndns.org

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.949705158.101.44.242805424C:\Users\user\Desktop\HUSDGHCE23ED.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 19, 2024 10:28:29.282262087 CET151OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Connection: Keep-Alive
                                                      Dec 19, 2024 10:28:32.459820032 CET730INHTTP/1.1 502 Bad Gateway
                                                      Date: Thu, 19 Dec 2024 09:28:32 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 547
                                                      Connection: keep-alive
                                                      X-Request-ID: 88c2a4ab3b834bbbe3a336b34e8509c6
                                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 [TRUNCATED]
                                                      Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center></center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->
                                                      Dec 19, 2024 10:28:32.481225967 CET127OUTGET / HTTP/1.1
                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                      Host: checkip.dyndns.org
                                                      Dec 19, 2024 10:28:34.511753082 CET321INHTTP/1.1 200 OK
                                                      Date: Thu, 19 Dec 2024 09:28:34 GMT
                                                      Content-Type: text/html
                                                      Content-Length: 104
                                                      Connection: keep-alive
                                                      Cache-Control: no-cache
                                                      Pragma: no-cache
                                                      X-Request-ID: 5251b1e82f2a12415684d9c9335c25a5
                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                      HTTPS Proxied Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.949710172.67.177.1344435424C:\Users\user\Desktop\HUSDGHCE23ED.exe
                                                      TimestampBytes transferredDirectionData
                                                      2024-12-19 09:28:36 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                      Host: reallyfreegeoip.org
                                                      Connection: Keep-Alive
                                                      2024-12-19 09:28:36 UTC876INHTTP/1.1 200 OK
                                                      Date: Thu, 19 Dec 2024 09:28:36 GMT
                                                      Content-Type: text/xml
                                                      Content-Length: 362
                                                      Connection: close
                                                      Cache-Control: max-age=31536000
                                                      CF-Cache-Status: HIT
                                                      Age: 589285
                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                      Accept-Ranges: bytes
                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eMrnn0pgSd1p%2BO1jCKpLP3R%2B8zR7YjQ9COQZ2%2F0p24zYCJanuLqzhvxfywPimmM0n9fayV48Gt3N35T7eg6GBiAfVTxsFKm4kuLwHCsZaqxQS9mIXOd9iLDqivFE5NXcs9UtYKnx"}],"group":"cf-nel","max_age":604800}
                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                      Server: cloudflare
                                                      CF-RAY: 8f465d0b0fbc0f74-EWR
                                                      alt-svc: h3=":443"; ma=86400
                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1456&min_rtt=1446&rtt_var=562&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1912246&cwnd=151&unsent_bytes=0&cid=76754fbbad323156&ts=448&x=0"
                                                      2024-12-19 09:28:36 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:04:28:26
                                                      Start date:19/12/2024
                                                      Path:C:\Users\user\Desktop\HUSDGHCE23ED.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\HUSDGHCE23ED.exe"
                                                      Imagebase:0xb10000
                                                      File size:959'488 bytes
                                                      MD5 hash:43D515CE2B62BAD63485ED46844F643A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2731298048.0000000003F29000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                      Reputation:low
                                                      Has exited:false

                                                      General

                                                      Target ID:2
                                                      Start time:04:28:27
                                                      Start date:19/12/2024
                                                      Path:C:\Users\user\Desktop\HUSDGHCE23ED.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\HUSDGHCE23ED.exe"
                                                      Imagebase:0x740000
                                                      File size:959'488 bytes
                                                      MD5 hash:43D515CE2B62BAD63485ED46844F643A
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.2727538704.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2729460791.0000000002D5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                      Reputation:low
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:8.4%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:7.3%
                                                        Total number of Nodes:218
                                                        Total number of Limit Nodes:9
                                                        execution_graph 37872 14fd01c 37873 14fd034 37872->37873 37874 14fd08e 37873->37874 37880 5541a97 37873->37880 37885 5541aa8 37873->37885 37890 5542808 37873->37890 37895 5542818 37873->37895 37900 5541bd1 37873->37900 37881 5541aa8 37880->37881 37883 5542818 2 API calls 37881->37883 37884 5542808 2 API calls 37881->37884 37882 5541aef 37882->37874 37883->37882 37884->37882 37886 5541ace 37885->37886 37888 5542818 2 API calls 37886->37888 37889 5542808 2 API calls 37886->37889 37887 5541aef 37887->37874 37888->37887 37889->37887 37891 554280d 37890->37891 37892 5542877 37891->37892 37905 5542d85 37891->37905 37910 5542da8 37891->37910 37896 5542845 37895->37896 37897 5542877 37896->37897 37898 5542d85 2 API calls 37896->37898 37899 5542da8 2 API calls 37896->37899 37898->37897 37899->37897 37901 5541bbf 37900->37901 37902 5541bda 37900->37902 37901->37874 37903 5541be7 37902->37903 37934 5541d1e 37902->37934 37903->37874 37907 5542da8 37905->37907 37906 5542e48 37906->37892 37915 5542e50 37907->37915 37919 5542e60 37907->37919 37912 5542dbc 37910->37912 37911 5542e48 37911->37892 37913 5542e50 2 API calls 37912->37913 37914 5542e60 2 API calls 37912->37914 37913->37911 37914->37911 37916 5542e60 37915->37916 37917 5542e71 37916->37917 37922 5544022 37916->37922 37917->37906 37920 5542e71 37919->37920 37921 5544022 2 API calls 37919->37921 37920->37906 37921->37920 37926 5544050 37922->37926 37930 5544040 37922->37930 37923 554403a 37923->37917 37927 5544092 37926->37927 37929 5544099 37926->37929 37928 55440ea CallWindowProcW 37927->37928 37927->37929 37928->37929 37929->37923 37931 5544092 37930->37931 37933 5544099 37930->37933 37932 55440ea CallWindowProcW 37931->37932 37931->37933 37932->37933 37933->37923 37936 5541d27 37934->37936 37935 5541e76 37936->37935 37938 5541b08 37936->37938 37942 5541b30 37938->37942 37945 5541b38 SetWindowLongW 37938->37945 37939 5541b20 37939->37935 37943 5541b38 SetWindowLongW 37942->37943 37944 5541ba4 37943->37944 37944->37939 37946 5541ba4 37945->37946 37946->37939 37853 15cd3d8 37854 15cd41e 37853->37854 37858 15cd5b8 37854->37858 37861 15cd5a8 37854->37861 37855 15cd50b 37865 15cb730 37858->37865 37862 15cd5b8 37861->37862 37863 15cb730 DuplicateHandle 37862->37863 37864 15cd5e6 37863->37864 37864->37855 37866 15cd620 DuplicateHandle 37865->37866 37867 15cd5e6 37866->37867 37867->37855 37868 554ccd0 37869 554cd12 37868->37869 37870 554cd1c Wow64GetThreadContext 37868->37870 37869->37870 37871 554cd4a 37870->37871 37957 554beb0 37959 554beca 37957->37959 37958 554bf1a 37959->37958 37961 554bf60 37959->37961 37962 554bfa3 37961->37962 37981 554bd40 37962->37981 37985 554bd38 37962->37985 37963 554c471 37989 554bc50 37963->37989 37993 554bc48 37963->37993 37964 554c750 37975 554bc50 WriteProcessMemory 37964->37975 37976 554bc48 WriteProcessMemory 37964->37976 37965 554c555 37965->37964 37973 554bc50 WriteProcessMemory 37965->37973 37974 554bc48 WriteProcessMemory 37965->37974 37966 554c78e 37967 554c876 37966->37967 37997 554bb78 37966->37997 38001 554bb72 37966->38001 38005 554be00 37967->38005 38009 554bdf8 37967->38009 37968 554c933 37968->37959 37973->37965 37974->37965 37975->37966 37976->37966 37982 554bd80 VirtualAllocEx 37981->37982 37984 554bdbd 37982->37984 37984->37963 37986 554bd80 VirtualAllocEx 37985->37986 37988 554bdbd 37986->37988 37988->37963 37990 554bc98 WriteProcessMemory 37989->37990 37992 554bcef 37990->37992 37992->37965 37994 554bc98 WriteProcessMemory 37993->37994 37996 554bcef 37994->37996 37996->37965 37998 554bbbd Wow64SetThreadContext 37997->37998 38000 554bc05 37998->38000 38000->37967 38002 554bbbd Wow64SetThreadContext 38001->38002 38004 554bc05 38002->38004 38004->37967 38006 554be40 ResumeThread 38005->38006 38008 554be71 38006->38008 38008->37968 38010 554be40 ResumeThread 38009->38010 38012 554be71 38010->38012 38012->37968 38013 15c4668 38014 15c467a 38013->38014 38017 15c4686 38014->38017 38019 15c4779 38014->38019 38016 15c46a5 38024 15c3e10 38017->38024 38020 15c479d 38019->38020 38028 15c4878 38020->38028 38032 15c4888 38020->38032 38025 15c3e1b 38024->38025 38040 15c5c64 38025->38040 38027 15c6fcf 38027->38016 38030 15c4888 38028->38030 38029 15c498c 38029->38029 38030->38029 38036 15c4248 38030->38036 38033 15c48af 38032->38033 38034 15c498c 38033->38034 38035 15c4248 CreateActCtxA 38033->38035 38035->38034 38037 15c5918 CreateActCtxA 38036->38037 38039 15c59db 38037->38039 38041 15c5c6f 38040->38041 38044 15c5c84 38041->38044 38043 15c7085 38043->38027 38045 15c5c8f 38044->38045 38048 15c5cb4 38045->38048 38047 15c7162 38047->38043 38049 15c5cbf 38048->38049 38052 15c5ce4 38049->38052 38051 15c7265 38051->38047 38053 15c5cef 38052->38053 38055 15c856b 38053->38055 38059 15cac18 38053->38059 38054 15c85a9 38054->38051 38055->38054 38063 15ccd10 38055->38063 38068 15ccd00 38055->38068 38073 15cac50 38059->38073 38076 15cac40 38059->38076 38060 15cac2e 38060->38055 38064 15ccd31 38063->38064 38065 15ccd55 38064->38065 38084 15ccec0 38064->38084 38088 15cceb1 38064->38088 38065->38054 38069 15ccd31 38068->38069 38070 15ccd55 38069->38070 38071 15ccec0 5 API calls 38069->38071 38072 15cceb1 5 API calls 38069->38072 38070->38054 38071->38070 38072->38070 38079 15cad48 38073->38079 38074 15cac5f 38074->38060 38077 15cac5f 38076->38077 38078 15cad48 GetModuleHandleW 38076->38078 38077->38060 38078->38077 38080 15cad7c 38079->38080 38081 15cad59 38079->38081 38080->38074 38081->38080 38082 15caf80 GetModuleHandleW 38081->38082 38083 15cafad 38082->38083 38083->38074 38085 15ccecd 38084->38085 38086 15ccf07 38085->38086 38092 15cb720 38085->38092 38086->38065 38089 15ccec0 38088->38089 38090 15cb720 5 API calls 38089->38090 38091 15ccf07 38089->38091 38090->38091 38091->38065 38093 15cb72b 38092->38093 38095 15cdc18 38093->38095 38096 15cd024 38093->38096 38095->38095 38097 15cd02f 38096->38097 38098 15c5ce4 5 API calls 38097->38098 38099 15cdc87 38098->38099 38100 15cdc96 38099->38100 38106 15cdd00 38099->38106 38110 15cdcf0 38099->38110 38114 15cfa08 38100->38114 38119 15cf9f0 38100->38119 38101 15cdcc1 38101->38095 38107 15cdd2e 38106->38107 38108 15cddfa KiUserCallbackDispatcher 38107->38108 38109 15cddff 38107->38109 38108->38109 38111 15cdd00 38110->38111 38112 15cddfa KiUserCallbackDispatcher 38111->38112 38113 15cddff 38111->38113 38112->38113 38115 15cfa39 38114->38115 38116 15cfa45 38114->38116 38115->38116 38117 55409c0 CreateWindowExW CreateWindowExW 38115->38117 38118 55409b0 CreateWindowExW CreateWindowExW 38115->38118 38116->38101 38117->38116 38118->38116 38120 15cfa39 38119->38120 38121 15cfa45 38119->38121 38120->38121 38122 55409c0 CreateWindowExW CreateWindowExW 38120->38122 38123 55409b0 CreateWindowExW CreateWindowExW 38120->38123 38121->38101 38122->38121 38123->38121 38124 554caa0 38125 554cb1b CreateProcessW 38124->38125 38127 554cbf1 38125->38127 38128 5b59680 38130 5b596e5 38128->38130 38129 5b59732 38130->38129 38131 5b57a30 PeekMessageW 38130->38131 38133 5b592ac 38130->38133 38131->38130 38134 5b5a3e8 DispatchMessageW 38133->38134 38135 5b5a454 38134->38135 38135->38130 37947 554cd88 ReadProcessMemory 37948 554ce08 37947->37948 37949 554ce48 37950 554ce5b 37949->37950 37953 554ac6c 37950->37953 37952 554cf28 37955 554ac77 37953->37955 37954 554fbf2 37954->37952 37955->37954 37956 5541b08 2 API calls 37955->37956 37956->37954

                                                        Executed Functions

                                                        Function 0554BF60 Relevance: 1.9, Strings: 1, Instructions: 619COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 33 554bf60-554bfa1 34 554bfa3 33->34 35 554bfa8-554c12e 33->35 34->35 42 554c155-554c19a call 554ab84 35->42 43 554c130-554c154 35->43 47 554c1c3-554c22d 42->47 48 554c19c-554c1b8 42->48 43->42 54 554c234-554c260 47->54 55 554c22f 47->55 48->47 57 554c2c1-554c2f3 call 554ab9c 54->57 58 554c262-554c26f call 554ab90 54->58 55->54 63 554c2f5-554c311 57->63 64 554c31c 57->64 62 554c274-554c294 58->62 65 554c296-554c2b2 62->65 66 554c2bd-554c2bf 62->66 63->64 67 554c31d-554c327 64->67 65->66 66->67 69 554c32e-554c374 call 554aba8 67->69 70 554c329 67->70 76 554c376-554c392 69->76 77 554c39d-554c3b6 69->77 70->69 76->77 78 554c40e-554c46c 77->78 79 554c3b8-554c3e4 call 554abb4 77->79 155 554c46f call 554bd40 78->155 156 554c46f call 554bd38 78->156 85 554c3e6-554c402 79->85 86 554c40d 79->86 85->86 86->78 89 554c471-554c486 90 554c488-554c499 89->90 91 554c49b-554c49d 89->91 93 554c4a3-554c4b7 90->93 91->93 94 554c4f4-554c50b 93->94 95 554c4b9-554c4f3 93->95 96 554c534-554c550 94->96 97 554c50d-554c529 94->97 95->94 165 554c553 call 554bc50 96->165 166 554c553 call 554bc48 96->166 97->96 100 554c555-554c575 101 554c577-554c593 100->101 102 554c59e-554c5d3 100->102 101->102 106 554c72b-554c74a 102->106 107 554c750-554c789 106->107 108 554c5d8-554c65c 106->108 161 554c78c call 554bc50 107->161 162 554c78c call 554bc48 107->162 118 554c720-554c725 108->118 119 554c662-554c6d1 108->119 113 554c78e-554c7ae 114 554c7d7-554c80a 113->114 115 554c7b0-554c7cc 113->115 121 554c814-554c827 114->121 122 554c80c-554c813 114->122 115->114 118->106 159 554c6d4 call 554bc50 119->159 160 554c6d4 call 554bc48 119->160 124 554c82e-554c859 121->124 125 554c829 121->125 122->121 129 554c8c3-554c8f5 call 554abc0 124->129 130 554c85b-554c871 124->130 125->124 137 554c8f7-554c913 129->137 138 554c91e 129->138 163 554c874 call 554bb72 130->163 164 554c874 call 554bb78 130->164 132 554c6d6-554c6f6 135 554c71f 132->135 136 554c6f8-554c714 132->136 134 554c876-554c896 139 554c8bf-554c8c1 134->139 140 554c898-554c8b4 134->140 135->118 136->135 137->138 141 554c91f-554c92e 138->141 139->141 140->139 157 554c931 call 554be00 141->157 158 554c931 call 554bdf8 141->158 145 554c933-554c953 147 554c955-554c971 145->147 148 554c97c-554ca85 145->148 147->148 155->89 156->89 157->145 158->145 159->132 160->132 161->113 162->113 163->134 164->134 165->100 166->100
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (
                                                        • API String ID: 0-3887548279
                                                        • Opcode ID: 8085fe0ef32531a122f77cd6e44f43957e3a385ea0c6653d4cf1f63186bdbcf5
                                                        • Instruction ID: b7f3d84cb1a956d942a976dd2cf30211817592f6fa986f8bfec6be7754ed99c1
                                                        • Opcode Fuzzy Hash: 8085fe0ef32531a122f77cd6e44f43957e3a385ea0c6653d4cf1f63186bdbcf5
                                                        • Instruction Fuzzy Hash: DA52D074E01229CFEB69DF65C954BEDBBB2BF89305F1481EA8009A7291DB345E85CF40
                                                        Function 05B59680 Relevance: .4, Instructions: 396COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2734926900.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5b50000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: DispatchMessage
                                                        • String ID:
                                                        • API String ID: 2061451462-0
                                                        • Opcode ID: 932d2a2be1601290fc20133a7a49e343bae47c860d821635166738e48222b204
                                                        • Instruction ID: cbd339ef3308a35b55730dfd7609ec9c181a850a643d070618f5dd68d540cb5f
                                                        • Opcode Fuzzy Hash: 932d2a2be1601290fc20133a7a49e343bae47c860d821635166738e48222b204
                                                        • Instruction Fuzzy Hash: 91F11E70A00309CFEB18DFA5C944BADBBF2FF88314F558199D805AF2A5DB71A945CB90
                                                        Function 055465B0 Relevance: .2, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bf75b335e6603397b111ca9a432925d90f6026e52c27ade31d97d9545074bef6
                                                        • Instruction ID: 8e6fc13289a335857d526f4d9aebdee328ebabab698f626f9181356334cb3401
                                                        • Opcode Fuzzy Hash: bf75b335e6603397b111ca9a432925d90f6026e52c27ade31d97d9545074bef6
                                                        • Instruction Fuzzy Hash: 92A1CF74E00219CFDB14DFA9C584A9EFBF2BF48315F1481AAD409AB356D734A981CF90
                                                        Function 015CAD48 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 167 15cad48-15cad57 168 15cad59-15cad66 call 15ca0a0 167->168 169 15cad83-15cad87 167->169 174 15cad7c 168->174 175 15cad68 168->175 170 15cad89-15cad93 169->170 171 15cad9b-15caddc 169->171 170->171 178 15cadde-15cade6 171->178 179 15cade9-15cadf7 171->179 174->169 223 15cad6e call 15cafd0 175->223 224 15cad6e call 15cafe0 175->224 178->179 181 15cadf9-15cadfe 179->181 182 15cae1b-15cae1d 179->182 180 15cad74-15cad76 180->174 185 15caeb8-15caf78 180->185 183 15cae09 181->183 184 15cae00-15cae07 call 15ca0ac 181->184 186 15cae20-15cae27 182->186 188 15cae0b-15cae19 183->188 184->188 218 15caf7a-15caf7d 185->218 219 15caf80-15cafab GetModuleHandleW 185->219 189 15cae29-15cae31 186->189 190 15cae34-15cae3b 186->190 188->186 189->190 192 15cae3d-15cae45 190->192 193 15cae48-15cae4a call 15ca0bc 190->193 192->193 196 15cae4f-15cae51 193->196 198 15cae5e-15cae63 196->198 199 15cae53-15cae5b 196->199 201 15cae65-15cae6c 198->201 202 15cae81-15cae8e 198->202 199->198 201->202 203 15cae6e-15cae7e call 15ca0cc call 15ca0dc 201->203 208 15cae90-15caeae 202->208 209 15caeb1-15caeb7 202->209 203->202 208->209 218->219 220 15cafad-15cafb3 219->220 221 15cafb4-15cafc8 219->221 220->221 223->180 224->180
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 015CAF9E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728904812.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: b9e760194492051e55ef28ac1bd455ad647f46ccfa096dc333e79be8fd2f26da
                                                        • Instruction ID: d1ae1d6b9a6594b9482638732615d56934c9e6d6fff9f53276db119edec55008
                                                        • Opcode Fuzzy Hash: b9e760194492051e55ef28ac1bd455ad647f46ccfa096dc333e79be8fd2f26da
                                                        • Instruction Fuzzy Hash: AF713770A00B098FE725DFAAD44475ABBF1FF88600F00892DD586DBA50EB75E845CF91
                                                        Function 0554CA96 Relevance: 1.6, APIs: 1, Instructions: 140processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 225 554ca96-554cb19 226 554cb21-554cb28 225->226 227 554cb1b-554cb1e 225->227 228 554cb33-554cb49 226->228 229 554cb2a-554cb30 226->229 227->226 230 554cb54-554cbef CreateProcessW 228->230 231 554cb4b-554cb51 228->231 229->228 233 554cbf1-554cbf7 230->233 234 554cbf8-554cc6c 230->234 231->230 233->234 242 554cc7e-554cc85 234->242 243 554cc6e-554cc74 234->243 244 554cc87-554cc96 242->244 245 554cc9c 242->245 243->242 244->245 246 554cc9d 245->246 246->246
                                                        APIs
                                                        • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 0554CBDC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 296fbedeac3e1352d04d5279907e09d8f74e1e788b17cc89c03c8aec18f91fce
                                                        • Instruction ID: f349b9944be08d89a4648c828bb3f7b2670ea9e25ad15727718acf99d1d8bd37
                                                        • Opcode Fuzzy Hash: 296fbedeac3e1352d04d5279907e09d8f74e1e788b17cc89c03c8aec18f91fce
                                                        • Instruction Fuzzy Hash: B4510575901329DFDF24CF95C944BDDBBB2BF49304F1080AAE918AB250DB759A88CF51
                                                        Function 0554CAA0 Relevance: 1.6, APIs: 1, Instructions: 137processCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 248 554caa0-554cb19 249 554cb21-554cb28 248->249 250 554cb1b-554cb1e 248->250 251 554cb33-554cb49 249->251 252 554cb2a-554cb30 249->252 250->249 253 554cb54-554cbef CreateProcessW 251->253 254 554cb4b-554cb51 251->254 252->251 256 554cbf1-554cbf7 253->256 257 554cbf8-554cc6c 253->257 254->253 256->257 265 554cc7e-554cc85 257->265 266 554cc6e-554cc74 257->266 267 554cc87-554cc96 265->267 268 554cc9c 265->268 266->265 267->268 269 554cc9d 268->269 269->269
                                                        APIs
                                                        • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 0554CBDC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: CreateProcess
                                                        • String ID:
                                                        • API String ID: 963392458-0
                                                        • Opcode ID: 2444a42c3d749dc0665759402da0616008a9c946e4796a4fb54c71031da0a33e
                                                        • Instruction ID: 30325faa8c5c839fdb775ba431d9831ec5fc47f9ab5e173ce0432a970d6e5575
                                                        • Opcode Fuzzy Hash: 2444a42c3d749dc0665759402da0616008a9c946e4796a4fb54c71031da0a33e
                                                        • Instruction Fuzzy Hash: E0510775901329DFDF24CF95C944BDEBBB1BF49304F1080AAE908A7250D7759A88CF51
                                                        Function 055418E4 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 271 55418e4-5541956 273 5541961-5541968 271->273 274 5541958-554195e 271->274 275 5541973-5541a12 CreateWindowExW 273->275 276 554196a-5541970 273->276 274->273 278 5541a14-5541a1a 275->278 279 5541a1b-5541a53 275->279 276->275 278->279 283 5541a55-5541a58 279->283 284 5541a60 279->284 283->284 285 5541a61 284->285 285->285
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05541A02
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: e076f53fbb40c2c5218ff58ccb898ca661ead6d74ab29ab1255c50d7e1bb580f
                                                        • Instruction ID: 05b5c597ee2a0c98f503aad4b9b57a2d9f9e3d76850d4ef51b535b360325ea60
                                                        • Opcode Fuzzy Hash: e076f53fbb40c2c5218ff58ccb898ca661ead6d74ab29ab1255c50d7e1bb580f
                                                        • Instruction Fuzzy Hash: 7151C1B5D00749DFDB14CF9AC884ADEBBB5FF48314F64812AE819AB210D7719985CF90
                                                        Function 055418F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 286 55418f0-5541956 287 5541961-5541968 286->287 288 5541958-554195e 286->288 289 5541973-5541a12 CreateWindowExW 287->289 290 554196a-5541970 287->290 288->287 292 5541a14-5541a1a 289->292 293 5541a1b-5541a53 289->293 290->289 292->293 297 5541a55-5541a58 293->297 298 5541a60 293->298 297->298 299 5541a61 298->299 299->299
                                                        APIs
                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05541A02
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: CreateWindow
                                                        • String ID:
                                                        • API String ID: 716092398-0
                                                        • Opcode ID: 0f5087485dc65b2af85c24952bb8abbd971fc91f05453df8f549ca765b3d6d95
                                                        • Instruction ID: 42e81b0254918bba5ddec534da4735c7f016aa100c39631b7bbd074345d5f572
                                                        • Opcode Fuzzy Hash: 0f5087485dc65b2af85c24952bb8abbd971fc91f05453df8f549ca765b3d6d95
                                                        • Instruction Fuzzy Hash: 4841C0B5D00708DFDB14CF9AC884ADEBBB5FF48314F24812AE819AB210D770A985CF90
                                                        Function 015C4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 300 15c4248-15c59d9 CreateActCtxA 303 15c59db-15c59e1 300->303 304 15c59e2-15c5a3c 300->304 303->304 311 15c5a3e-15c5a41 304->311 312 15c5a4b-15c5a4f 304->312 311->312 313 15c5a60 312->313 314 15c5a51-15c5a5d 312->314 316 15c5a61 313->316 314->313 316->316
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 015C59C9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728904812.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: 57dca2c5bc1adc22ad00487d19e7d4e0d44fc74b13e5c76ecd343e95ceb57b48
                                                        • Instruction ID: 559dfca9dabf9beb913a0849be996ca2df653c6b69918cc06609d0909c1d595b
                                                        • Opcode Fuzzy Hash: 57dca2c5bc1adc22ad00487d19e7d4e0d44fc74b13e5c76ecd343e95ceb57b48
                                                        • Instruction Fuzzy Hash: 1841C070D10718CFDB24CFAAC884BDEBBB5BF49704F60806AD408AB251EBB16945CF90
                                                        Function 015C590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 317 15c590d-15c59d9 CreateActCtxA 319 15c59db-15c59e1 317->319 320 15c59e2-15c5a3c 317->320 319->320 327 15c5a3e-15c5a41 320->327 328 15c5a4b-15c5a4f 320->328 327->328 329 15c5a60 328->329 330 15c5a51-15c5a5d 328->330 332 15c5a61 329->332 330->329 332->332
                                                        APIs
                                                        • CreateActCtxA.KERNEL32(?), ref: 015C59C9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728904812.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: Create
                                                        • String ID:
                                                        • API String ID: 2289755597-0
                                                        • Opcode ID: b426e07f5fd02456baf74a64f1cf43ba98b432a66af1dc0d47a9a2bab6bd47a2
                                                        • Instruction ID: b7117dc03a79082f688e72c824241b74b570d2e32cd9008155b7dab6db89b5a3
                                                        • Opcode Fuzzy Hash: b426e07f5fd02456baf74a64f1cf43ba98b432a66af1dc0d47a9a2bab6bd47a2
                                                        • Instruction Fuzzy Hash: 5C41D2B0D10719CFDB24CFAAC884BDDBBB5BF49704F60806AD408AB251EBB56945CF50
                                                        Function 05544050 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 333 5544050-554408c 334 5544092-5544097 333->334 335 554413c-554415c 333->335 336 5544099-55440d0 334->336 337 55440ea-5544122 CallWindowProcW 334->337 341 554415f-554416c 335->341 344 55440d2-55440d8 336->344 345 55440d9-55440e8 336->345 339 5544124-554412a 337->339 340 554412b-554413a 337->340 339->340 340->341 344->345 345->341
                                                        APIs
                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05544111
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: CallProcWindow
                                                        • String ID:
                                                        • API String ID: 2714655100-0
                                                        • Opcode ID: 88aa23513c299d3bdcd877738ffff45d412440f443fcf9855a557b02b5a58c9f
                                                        • Instruction ID: fa7a59c0d4550d33a46073f2897a5488c3cbbef56fd1714e855ff30e24935013
                                                        • Opcode Fuzzy Hash: 88aa23513c299d3bdcd877738ffff45d412440f443fcf9855a557b02b5a58c9f
                                                        • Instruction Fuzzy Hash: 0A4106B9900349CFDB14CF99C848BAABBF6FB88314F24C459D519AB321D775A845CFA0
                                                        Function 0554BC48 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 347 554bc48-554bc9e 349 554bca0-554bcac 347->349 350 554bcae-554bced WriteProcessMemory 347->350 349->350 352 554bcf6-554bd26 350->352 353 554bcef-554bcf5 350->353 353->352
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0554BCE0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 6a166d48c0b021ce51db0324504b0e5f82efee6b254aaaf24a399b206e4bc245
                                                        • Instruction ID: 2871c50b91e0404320cb3c971edcadfc8269880080c3da03114d78a99843cf4f
                                                        • Opcode Fuzzy Hash: 6a166d48c0b021ce51db0324504b0e5f82efee6b254aaaf24a399b206e4bc245
                                                        • Instruction Fuzzy Hash: 3F2104B59003499FDF10CFA9C885BEEBBF1FB48324F148429E959A7240DB799954CBA0
                                                        Function 0554BC50 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 357 554bc50-554bc9e 359 554bca0-554bcac 357->359 360 554bcae-554bced WriteProcessMemory 357->360 359->360 362 554bcf6-554bd26 360->362 363 554bcef-554bcf5 360->363 363->362
                                                        APIs
                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0554BCE0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessWrite
                                                        • String ID:
                                                        • API String ID: 3559483778-0
                                                        • Opcode ID: 82f73084deffd64c6846821b64ace1185cad3f1b3b6830cffd6eb6040aa89698
                                                        • Instruction ID: 819abbe97091ea03d9f57f2ab1a78568a5ebcd39bee30bf8b7109acb779f7efc
                                                        • Opcode Fuzzy Hash: 82f73084deffd64c6846821b64ace1185cad3f1b3b6830cffd6eb6040aa89698
                                                        • Instruction Fuzzy Hash: 7A2126B59003099FDF10CFAAC885BEEBBF5FF48314F148429E959A7240CB799954CBA4
                                                        Function 015CB730 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 367 15cb730-15cd6b4 DuplicateHandle 369 15cd6bd-15cd6da 367->369 370 15cd6b6-15cd6bc 367->370 370->369
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015CD5E6,?,?,?,?,?), ref: 015CD6A7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728904812.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 6e1fc4810792c9aebcd35ad67de71aef435995beb38d1d0af84ac7f2788b85a9
                                                        • Instruction ID: 0d41987c83267f83cf3df106e2ebb84830b4ad4458bc57dffeab7b85b6c108c3
                                                        • Opcode Fuzzy Hash: 6e1fc4810792c9aebcd35ad67de71aef435995beb38d1d0af84ac7f2788b85a9
                                                        • Instruction Fuzzy Hash: AE21E4B5900208EFDB10CFDAD484AEEBBF4FB48710F14842AE958A7350D374A954CFA4
                                                        Function 0554BB72 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 373 554bb72-554bbc3 375 554bbc5-554bbd1 373->375 376 554bbd3-554bc03 Wow64SetThreadContext 373->376 375->376 378 554bc05-554bc0b 376->378 379 554bc0c-554bc3c 376->379 378->379
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0554BBF6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: d0a9041e7dae1aa90e4e1dcd768585faab0fb604b25535ccc983dfd581a18052
                                                        • Instruction ID: dee6bda59f06464a08dea1a24c5d436e8e36617007865a4763e95afe70e1720e
                                                        • Opcode Fuzzy Hash: d0a9041e7dae1aa90e4e1dcd768585faab0fb604b25535ccc983dfd581a18052
                                                        • Instruction Fuzzy Hash: A42138719043098FDB10DFAAC4857EEBBF4FF48324F548429D559A7241CB789945CFA4
                                                        Function 0554BB78 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0554BBF6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: c8db2ac4c10eb7910a30008f8b27b522425e73b77d33382ed1109d26da359c51
                                                        • Instruction ID: 3ca100300ce78eaabaf43137dd3ce3ff69041b548e41c0648c3ca08cc0a781ed
                                                        • Opcode Fuzzy Hash: c8db2ac4c10eb7910a30008f8b27b522425e73b77d33382ed1109d26da359c51
                                                        • Instruction Fuzzy Hash: 7D2135719043098FDB10DFAAC4857EEBBF4FF48224F54842AD559A7241CB789945CFA4
                                                        Function 015CD619 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,015CD5E6,?,?,?,?,?), ref: 015CD6A7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728904812.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: DuplicateHandle
                                                        • String ID:
                                                        • API String ID: 3793708945-0
                                                        • Opcode ID: 2206f0aef5de751823aa34150dd63daa05a76276afafe90a3a718255474bef61
                                                        • Instruction ID: 2851038581a9bbaa6e425df5c9e9e3d1abb06e81b05b76ebdc0a50e861f9a820
                                                        • Opcode Fuzzy Hash: 2206f0aef5de751823aa34150dd63daa05a76276afafe90a3a718255474bef61
                                                        • Instruction Fuzzy Hash: E121E3B59002089FDB10CF9AD584ADEBBF4FB48314F24842AE958A7350D378A955CF60
                                                        Function 0554CD80 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0554CDF9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: 17c94d14f2fb320e3a7ab271d5191b9e98236755a9bb661b1c36daa41b534e0c
                                                        • Instruction ID: baee0e985ba863be3e28601c2f1e64cef7220a9129d9dd6abae4dbd00158b329
                                                        • Opcode Fuzzy Hash: 17c94d14f2fb320e3a7ab271d5191b9e98236755a9bb661b1c36daa41b534e0c
                                                        • Instruction Fuzzy Hash: D921E0B59017599FDB10CF9AD884BDEFBF4FB48310F10842AE958A7250C378A954CFA1
                                                        Function 0554CCC8 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0554CD3B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: 49daa97fdc0d33618678d8e317128ef0a67c13f5e38cc41344b9f5d18117a0ea
                                                        • Instruction ID: b70969ee4a4963e62bc933d8e79eeeba914b74b421281028dbb3050898eb27e7
                                                        • Opcode Fuzzy Hash: 49daa97fdc0d33618678d8e317128ef0a67c13f5e38cc41344b9f5d18117a0ea
                                                        • Instruction Fuzzy Hash: 2B1134B6D006498FDB10CF9AD845BDEBBF4BB88324F15842AD458B7250D778A545CFA0
                                                        Function 05B57A30 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,05B59862,00000000,00000000,03F242C4,02F407E8), ref: 05B59CB0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2734926900.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5b50000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: MessagePeek
                                                        • String ID:
                                                        • API String ID: 2222842502-0
                                                        • Opcode ID: 5154ebf0fd299c5ae9ff5739c760366a4096d04fa66c379f37ba79a505fe1635
                                                        • Instruction ID: c172bcc16a1b05ad53b49bfc57dc26d4beddb4c4a90a0f0f843f0a7a51c01153
                                                        • Opcode Fuzzy Hash: 5154ebf0fd299c5ae9ff5739c760366a4096d04fa66c379f37ba79a505fe1635
                                                        • Instruction Fuzzy Hash: FE1114B5804209DFDB10CF9AC544BEEBBF8FB48320F10802AE958A3251C378A944CFA5
                                                        Function 0554CD88 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0554CDF9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: MemoryProcessRead
                                                        • String ID:
                                                        • API String ID: 1726664587-0
                                                        • Opcode ID: b84706aa0c9487762b9cbcbe8c5ffc160c999d921fa7f0d782bf5d4283e688d1
                                                        • Instruction ID: 3dd8e7aa5c1b6467f675cffc833cf987328b1d6a66d657b6e008a612bea84e6c
                                                        • Opcode Fuzzy Hash: b84706aa0c9487762b9cbcbe8c5ffc160c999d921fa7f0d782bf5d4283e688d1
                                                        • Instruction Fuzzy Hash: 1721E0B58012599FDB10CF9AC884BDEFBF8FB48310F10842AE958A3250C378A954CFA5
                                                        Function 0554BD38 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0554BDAE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: d47e3b82665ffc64fdcf3af3162e62e29506705ceb3171c04dc72c20f34bdb04
                                                        • Instruction ID: c6ddefbe88316eb53a694a939bd6e52485bdffc42cd073657c29f95eb3d7ab3e
                                                        • Opcode Fuzzy Hash: d47e3b82665ffc64fdcf3af3162e62e29506705ceb3171c04dc72c20f34bdb04
                                                        • Instruction Fuzzy Hash: 9E1156759002489FDF10CFAAC8447EEBBF1AB48324F14882AE559A7250C7759544CF90
                                                        Function 05B59C42 Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PeekMessageW.USER32(?,?,00000000,00000000,00000000,?,?,?,?,05B59862,00000000,00000000,03F242C4,02F407E8), ref: 05B59CB0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2734926900.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5b50000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: MessagePeek
                                                        • String ID:
                                                        • API String ID: 2222842502-0
                                                        • Opcode ID: a9116d6d49bf726953906f4cfd32b45888a7457390b913f620fc88998a5a8788
                                                        • Instruction ID: 6f6c32bdd7535b9506f618868b5be585aff20e86167aec3838cd0f1325514a29
                                                        • Opcode Fuzzy Hash: a9116d6d49bf726953906f4cfd32b45888a7457390b913f620fc88998a5a8788
                                                        • Instruction Fuzzy Hash: 781114B6800209DFDB10CF9AC945BDEBBF8FB08320F10802AE958A3250C378A544CFA5
                                                        Function 0554CCD0 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0554CD3B
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: ContextThreadWow64
                                                        • String ID:
                                                        • API String ID: 983334009-0
                                                        • Opcode ID: a9d5a87a4693d033abd0caed595f601821407860e6450e820c554e8490e387f5
                                                        • Instruction ID: bd85359bceb2d725433f57b21e0120260e86110c5a7cd34299a175d1b0dfd902
                                                        • Opcode Fuzzy Hash: a9d5a87a4693d033abd0caed595f601821407860e6450e820c554e8490e387f5
                                                        • Instruction Fuzzy Hash: 161143B6C006498FDB10CF9AC845BDEFBF4FB88324F14802AD458A3250D778A945CFA1
                                                        Function 0554BD40 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0554BDAE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: AllocVirtual
                                                        • String ID:
                                                        • API String ID: 4275171209-0
                                                        • Opcode ID: b33584640ac10a1fdeabedc16b13888fccdc00a95dd89148bb0740a8aeb5f796
                                                        • Instruction ID: a7baf615296885ea6cb444494f08b933e9fec1651bfc675f1af735e6e2471489
                                                        • Opcode Fuzzy Hash: b33584640ac10a1fdeabedc16b13888fccdc00a95dd89148bb0740a8aeb5f796
                                                        • Instruction Fuzzy Hash: F01144718003089FDF10CFAAC844BEEBBF5EB48324F148429E559A7250CB759540CFA0
                                                        Function 0554BDF8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: 41ffabee2ccfde3c894a6c51d29ebfd42eee74a470d3950cc4a350078f2ae566
                                                        • Instruction ID: b65e6ccab2fcb98f2bc57328679a221f880abefaa5dc1ecf922a76b1b35457c2
                                                        • Opcode Fuzzy Hash: 41ffabee2ccfde3c894a6c51d29ebfd42eee74a470d3950cc4a350078f2ae566
                                                        • Instruction Fuzzy Hash: 101155B59043488FDB10DFAAC4457EEFBF4EB88324F24842AD559A7280CB799945CFA0
                                                        Function 0554BE00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: ResumeThread
                                                        • String ID:
                                                        • API String ID: 947044025-0
                                                        • Opcode ID: e4d47019fe765f40b71ee3aa461f1cbcfb8053fbd870a359f8dc36955c28efa5
                                                        • Instruction ID: 5bf71a98385c5edf9bb307f2ba46c75cdb3df7c6774484842ca3069e0071d110
                                                        • Opcode Fuzzy Hash: e4d47019fe765f40b71ee3aa461f1cbcfb8053fbd870a359f8dc36955c28efa5
                                                        • Instruction Fuzzy Hash: 9B1136B19043488FDB14DFAAC4457EEFBF4EB88224F248429D559A7250CB75A944CFA4
                                                        Function 015CAF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 015CAF9E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728904812.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: HandleModule
                                                        • String ID:
                                                        • API String ID: 4139908857-0
                                                        • Opcode ID: e25dbb951c6a4d16946fbffae454b0aa7f29cf00b6f5b5477374479def87c6e4
                                                        • Instruction ID: 0767feea3188ab210e9798b28ae0c222b546e78becd215fa9e7d9511ad862a96
                                                        • Opcode Fuzzy Hash: e25dbb951c6a4d16946fbffae454b0aa7f29cf00b6f5b5477374479def87c6e4
                                                        • Instruction Fuzzy Hash: 701110B9C006498FDB14CF9AD444BDEFBF4BB88714F10842AD968A7250D379A545CFA1
                                                        Function 05B592AC Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05B599A7), ref: 05B5A445
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2734926900.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5b50000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: DispatchMessage
                                                        • String ID:
                                                        • API String ID: 2061451462-0
                                                        • Opcode ID: 8e86673c107e0f77e46866a2f9e0dc4b62863ece1e688907cba03e1e40a6dbe3
                                                        • Instruction ID: e9658a9b6f9d58658369833e2600e034a6b3295ba6ce654263074f71b5cee5d6
                                                        • Opcode Fuzzy Hash: 8e86673c107e0f77e46866a2f9e0dc4b62863ece1e688907cba03e1e40a6dbe3
                                                        • Instruction Fuzzy Hash: 9311EDB5C046488FCB24DF9AD448BDEFBF4EB48324F10856AE959B7210D378A544CFA5
                                                        Function 05541B30 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,?,?), ref: 05541B95
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID:
                                                        • API String ID: 1378638983-0
                                                        • Opcode ID: 64b35e70779a9251495f377cf6e49cda4fef458e7a4849fcf589b1977c0e5717
                                                        • Instruction ID: 98267bc6179602df9999f2bd2dd62abb7f0686602755513767551c49e9980c18
                                                        • Opcode Fuzzy Hash: 64b35e70779a9251495f377cf6e49cda4fef458e7a4849fcf589b1977c0e5717
                                                        • Instruction Fuzzy Hash: B811F2B58006499FDB10DF9AD485BDEBBF8FB48324F10841AD959A7340D374A944CFA5
                                                        Function 05B5A3E2 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,05B599A7), ref: 05B5A445
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2734926900.0000000005B50000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B50000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5b50000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: DispatchMessage
                                                        • String ID:
                                                        • API String ID: 2061451462-0
                                                        • Opcode ID: 553bba943b8e6fb0f788281c7ef3b544554f8f84729769c9045b7f5e221574e6
                                                        • Instruction ID: 598a20ec04a9ea9f0067f5ade4dc75e9c2d5659ae0e0ddc393f2ef23e4c256f8
                                                        • Opcode Fuzzy Hash: 553bba943b8e6fb0f788281c7ef3b544554f8f84729769c9045b7f5e221574e6
                                                        • Instruction Fuzzy Hash: D311FEB5C046498FCB14DF9AD844BDEFBF4EB48324F10856AD958B3210D378A544CFA5
                                                        Function 05541B38 Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetWindowLongW.USER32(?,?,?), ref: 05541B95
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: LongWindow
                                                        • String ID:
                                                        • API String ID: 1378638983-0
                                                        • Opcode ID: de31a64cf4d8c7386566f5ded950339727966629fe0fab6d72fa259165a2051b
                                                        • Instruction ID: d8cdc91af9b278de8c4161dcc69e58148f0df81ecfe87fbc522e18238df1804b
                                                        • Opcode Fuzzy Hash: de31a64cf4d8c7386566f5ded950339727966629fe0fab6d72fa259165a2051b
                                                        • Instruction Fuzzy Hash: 061100B58006488FDB10CF9AC484BDEBBF8FB88324F20841AD959A7340C374A944CFA5
                                                        Function 014ED3D8 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728554610.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14ed000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 322d96bdd9e51cfe5c4cb3baf368692a926e86ec2d70e9cb493268fad73f10a8
                                                        • Instruction ID: ad84b51d52617f00f5135bf7de553af9ed2a1d3e67799e2ddbffd490595ecb9e
                                                        • Opcode Fuzzy Hash: 322d96bdd9e51cfe5c4cb3baf368692a926e86ec2d70e9cb493268fad73f10a8
                                                        • Instruction Fuzzy Hash: 9C213671904204DFDB05DF84D9C8B56BBA5FB98315F20C57AE8090B366C336E456CAA2
                                                        Function 014FD01C Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728612807.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14fd000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1c2f9f9e08e3d3fe056cac872dd4b0ac46b053e432ea0d8fd9437247dda2c588
                                                        • Instruction ID: afcb241fd381df5825b0fbd1325144df3bb39e70279e0a5d0c0b2e10333ddb54
                                                        • Opcode Fuzzy Hash: 1c2f9f9e08e3d3fe056cac872dd4b0ac46b053e432ea0d8fd9437247dda2c588
                                                        • Instruction Fuzzy Hash: 602137B1904300DFDB15DF54D8C0B16BB61FB84318F20C56EDA0A4B366C336D447CA62
                                                        Function 014FD2BC Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728612807.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14fd000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ac27b7254c592f35a1669c8ef20632801f1573a9dafd3a3a3679d4ec4c90a37b
                                                        • Instruction ID: ac307aa6dfeb714a1ac6da3ed063dcc4c63245a35686afa2118aa9ac36d95f40
                                                        • Opcode Fuzzy Hash: ac27b7254c592f35a1669c8ef20632801f1573a9dafd3a3a3679d4ec4c90a37b
                                                        • Instruction Fuzzy Hash: A3213876904304DFDB01DF94D9C0B2ABB65FB84324F24C56EDA490B352C336D446CAA2
                                                        Function 014FD006 Relevance: .1, Instructions: 62COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728612807.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14fd000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8648a01c8f85d9010cbfc8eb6737ad22e6cacbd18653b6e40d0148246c384026
                                                        • Instruction ID: 31d67a0a1dc78e483a631df32a839d113d4d4a0039b2de4fbf4deebdbafa219b
                                                        • Opcode Fuzzy Hash: 8648a01c8f85d9010cbfc8eb6737ad22e6cacbd18653b6e40d0148246c384026
                                                        • Instruction Fuzzy Hash: 2E217F755093808FCB06CF24D594716BF71EB46218F28C5EAD9498F7A7C33A984ACB62
                                                        Function 014ED3D3 Relevance: .1, Instructions: 56COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728554610.00000000014ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 014ED000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14ed000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                        • Instruction ID: b0d425f8354eb97eb212c4ac0ebc4a309f1ab97ae1ea67e1acee4b52fbbf7192
                                                        • Opcode Fuzzy Hash: 8a9223d17f0c59b9928f2445ae754a3689dedab5288f4c6dbc5edc2f4224d076
                                                        • Instruction Fuzzy Hash: 2611C076804240CFCB02CF44D5C4B56BFA1FB94314F2482AAD8490A667C33AD456CB91
                                                        Function 014FD2B7 Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728612807.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_14fd000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fe29617760380478690089006a0cc6f54f4220f428edbdb5d188c8f044c695c2
                                                        • Instruction ID: e288940a5c06a0b7988b8054c6b752b1d210352366c4c204081f686928934235
                                                        • Opcode Fuzzy Hash: fe29617760380478690089006a0cc6f54f4220f428edbdb5d188c8f044c695c2
                                                        • Instruction Fuzzy Hash: 09119076904680CFDB12CF14D5C4B1ABB61FB84324F24C6AEDA494B756C33AD44ACB92

                                                        Non-executed Functions

                                                        Function 05540040 Relevance: .3, Instructions: 315COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 645f142eb1bbf4f33bb13efe1d49e2d46c24cf332918f486a08c5135f60fd3cd
                                                        • Instruction ID: 1b6797bd4660e7e79dd2b294553cfe09e21ace367a7f71e8db3ac661054b4d87
                                                        • Opcode Fuzzy Hash: 645f142eb1bbf4f33bb13efe1d49e2d46c24cf332918f486a08c5135f60fd3cd
                                                        • Instruction Fuzzy Hash: 9E1287B28C27458BE390CF66E84C18A3BB1B7E2314BD14A09D3611A2E5D7B611E6CF44
                                                        Function 015CD304 Relevance: .3, Instructions: 264COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2728904812.00000000015C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_15c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 245dcfbb03150d35a94f0b0860310538250d8d4406caf4b4d8999421bbd33502
                                                        • Instruction ID: 67a1ecb69e8518462f569ff5a4d620bf58e02b3e0acf5965be308d1fe13a3fdb
                                                        • Opcode Fuzzy Hash: 245dcfbb03150d35a94f0b0860310538250d8d4406caf4b4d8999421bbd33502
                                                        • Instruction Fuzzy Hash: FBA15B36E0020A8FCF15DFA5C84059EBBB2FF88704B15856EE906AF261DB31E956CB40
                                                        Function 0554AD51 Relevance: .3, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f55dabcaa73ed9b9eb8c4151dd3f8523f65260a9edc48d1eb0d1b12fc42d4813
                                                        • Instruction ID: 8259ad36dbc9b42315e8680f65ae4e27154c61e6641990ce7687514eb7b440a6
                                                        • Opcode Fuzzy Hash: f55dabcaa73ed9b9eb8c4151dd3f8523f65260a9edc48d1eb0d1b12fc42d4813
                                                        • Instruction Fuzzy Hash: 8681AF34B00219DBDB18DFB5986437E77A3BFC8751F09892DE416EB288CE35D8069B91
                                                        Function 05540006 Relevance: .2, Instructions: 242COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.2732629623.0000000005540000.00000040.00000800.00020000.00000000.sdmp, Offset: 05540000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_5540000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e4c914e22a1b263efad766ed7ceb4932ada42a4ba98e16295502a3df66d89ff1
                                                        • Instruction ID: 2e98cd8885161b65f94fa7f342e38e96ef08bea572cfd3a1a06997631395fbe0
                                                        • Opcode Fuzzy Hash: e4c914e22a1b263efad766ed7ceb4932ada42a4ba98e16295502a3df66d89ff1
                                                        • Instruction Fuzzy Hash: 4FC12CB2CC27458BD390CF66E84818A3B71BBE2314FD14A09D3616B2D1DBB515EACF54

                                                        Execution Graph

                                                        Execution Coverage:11.8%
                                                        Dynamic/Decrypted Code Coverage:100%
                                                        Signature Coverage:32.8%
                                                        Total number of Nodes:58
                                                        Total number of Limit Nodes:9
                                                        execution_graph 21458 63c4c79 21459 63c4cb5 21458->21459 21461 63c6b97 21459->21461 21463 63c4fbe 21459->21463 21464 63c4340 21459->21464 21462 63c4340 2 API calls 21462->21463 21463->21461 21463->21462 21465 63c4352 21464->21465 21466 63c4357 21464->21466 21465->21463 21466->21465 21467 63c4596 LdrInitializeThunk 21466->21467 21470 63c4631 21467->21470 21468 63c46f1 21468->21463 21469 63c4a81 LdrInitializeThunk 21469->21468 21470->21468 21470->21469 21471 1075088 21472 1075094 21471->21472 21473 10750c3 21472->21473 21475 1079b9f 21472->21475 21476 1079ba6 21475->21476 21477 1079bf0 21475->21477 21486 1079e00 21476->21486 21492 1079def 21476->21492 21498 63c9262 21477->21498 21502 63c9270 21477->21502 21478 1079c1a 21506 63cb460 21478->21506 21510 63cb470 21478->21510 21479 1079c36 21479->21473 21487 1079e22 21486->21487 21488 1079eee 21487->21488 21491 63c4340 2 API calls 21487->21491 21514 63c4944 21487->21514 21520 63c4560 21487->21520 21488->21477 21491->21488 21493 1079dfa 21492->21493 21494 1079eee 21493->21494 21495 63c4944 3 API calls 21493->21495 21496 63c4560 4 API calls 21493->21496 21497 63c4340 2 API calls 21493->21497 21494->21477 21495->21494 21496->21494 21497->21494 21499 63c926b 21498->21499 21500 63c4560 4 API calls 21499->21500 21501 63c93a4 21499->21501 21500->21501 21501->21478 21503 63c9292 21502->21503 21504 63c4560 4 API calls 21503->21504 21505 63c93a4 21503->21505 21504->21505 21505->21478 21507 63cb492 21506->21507 21508 63c4560 4 API calls 21507->21508 21509 63cb55c 21507->21509 21508->21509 21509->21479 21511 63cb492 21510->21511 21512 63c4560 4 API calls 21511->21512 21513 63cb55c 21511->21513 21512->21513 21513->21479 21515 63c47fb 21514->21515 21516 63c493c LdrInitializeThunk 21515->21516 21519 63c4340 2 API calls 21515->21519 21518 63c4a99 21516->21518 21518->21488 21519->21515 21521 63c4596 LdrInitializeThunk 21520->21521 21522 63c4591 21520->21522 21523 63c4631 21521->21523 21522->21521 21524 63c46f1 21523->21524 21525 63c493c LdrInitializeThunk 21523->21525 21527 63c4340 2 API calls 21523->21527 21524->21488 21525->21524 21527->21523

                                                        Executed Functions

                                                        Function 063C4560 Relevance: 3.4, APIs: 2, Instructions: 357libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 539 63c4560-63c458f 540 63c4596-63c462c LdrInitializeThunk 539->540 541 63c4591 539->541 542 63c46cb-63c46d1 540->542 541->540 543 63c46d7-63c46ef 542->543 544 63c4631-63c4644 542->544 545 63c46f1-63c46fe 543->545 546 63c4703-63c4716 543->546 547 63c464b-63c469c 544->547 548 63c4646 544->548 549 63c4a99-63c4b96 545->549 550 63c471d-63c4739 546->550 551 63c4718 546->551 564 63c469e-63c46ac 547->564 565 63c46af-63c46c1 547->565 548->547 556 63c4b9e-63c4ba8 549->556 557 63c4b98-63c4b9d 549->557 554 63c473b 550->554 555 63c4740-63c4764 550->555 551->550 554->555 561 63c476b-63c479d 555->561 562 63c4766 555->562 557->556 570 63c479f 561->570 571 63c47a4-63c47e6 561->571 562->561 564->543 567 63c46c8 565->567 568 63c46c3 565->568 567->542 568->567 570->571 573 63c47ed-63c47f6 571->573 574 63c47e8 571->574 575 63c4a1e-63c4a24 573->575 574->573 576 63c4a2a-63c4a3d 575->576 577 63c47fb-63c4820 575->577 580 63c4a3f 576->580 581 63c4a44-63c4a5f 576->581 578 63c4827-63c485e 577->578 579 63c4822 577->579 589 63c4865-63c4897 578->589 590 63c4860 578->590 579->578 580->581 582 63c4a66-63c4a7a 581->582 583 63c4a61 581->583 587 63c4a7c 582->587 588 63c4a81-63c4a97 LdrInitializeThunk 582->588 583->582 587->588 588->549 592 63c4899-63c48be 589->592 593 63c48fb-63c490e 589->593 590->589 594 63c48c5-63c48f3 592->594 595 63c48c0 592->595 596 63c4915-63c493a 593->596 597 63c4910 593->597 594->593 595->594 600 63c493c-63c493d 596->600 601 63c4949-63c4981 596->601 597->596 600->576 602 63c4988-63c49e9 call 63c4340 601->602 603 63c4983 601->603 609 63c49eb 602->609 610 63c49f0-63c4a14 602->610 603->602 609->610 613 63c4a1b 610->613 614 63c4a16 610->614 613->575 614->613
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: a991c107829069d851154fd03962c4563c492a970fa3f2100740c6c470274fff
                                                        • Instruction ID: a0a82a82b42d364914051db33884f83f2030caea450409831fbb5c773f73c7e1
                                                        • Opcode Fuzzy Hash: a991c107829069d851154fd03962c4563c492a970fa3f2100740c6c470274fff
                                                        • Instruction Fuzzy Hash: A4F1E174E01218CFDB64DFA9D884B9DBBF2BF88310F1481A9E458AB255DB319D85CF90
                                                        Function 063C4340 Relevance: 1.8, APIs: 1, Instructions: 263libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1045 63c4340-63c4350 1046 63c4357-63c4363 1045->1046 1047 63c4352 1045->1047 1050 63c436a-63c437f 1046->1050 1051 63c4365 1046->1051 1048 63c4483-63c448d 1047->1048 1054 63c4385-63c4390 1050->1054 1055 63c4493-63c44d3 1050->1055 1051->1048 1058 63c448e 1054->1058 1059 63c4396-63c439d 1054->1059 1073 63c44da-63c458f 1055->1073 1058->1055 1060 63c439f-63c43b6 1059->1060 1061 63c43ca-63c43d5 1059->1061 1072 63c43bc-63c43bf 1060->1072 1060->1073 1066 63c43d7-63c43df 1061->1066 1067 63c43e2-63c43ec 1061->1067 1066->1067 1074 63c4476-63c447b 1067->1074 1075 63c43f2-63c43fc 1067->1075 1072->1058 1076 63c43c5-63c43c8 1072->1076 1104 63c4596-63c462c LdrInitializeThunk 1073->1104 1105 63c4591 1073->1105 1074->1048 1075->1058 1082 63c4402-63c441e 1075->1082 1076->1060 1076->1061 1087 63c4420 1082->1087 1088 63c4422-63c4425 1082->1088 1087->1048 1090 63c442c-63c442f 1088->1090 1091 63c4427-63c442a 1088->1091 1092 63c4432-63c4440 1090->1092 1091->1092 1092->1058 1095 63c4442-63c4449 1092->1095 1095->1048 1097 63c444b-63c4451 1095->1097 1097->1058 1098 63c4453-63c4458 1097->1098 1098->1058 1100 63c445a-63c446d 1098->1100 1100->1058 1106 63c446f-63c4472 1100->1106 1107 63c46cb-63c46d1 1104->1107 1105->1104 1106->1097 1108 63c4474 1106->1108 1109 63c46d7-63c46ef 1107->1109 1110 63c4631-63c4644 1107->1110 1108->1048 1111 63c46f1-63c46fe 1109->1111 1112 63c4703-63c4716 1109->1112 1113 63c464b-63c469c 1110->1113 1114 63c4646 1110->1114 1115 63c4a99-63c4b96 1111->1115 1116 63c471d-63c4739 1112->1116 1117 63c4718 1112->1117 1130 63c469e-63c46ac 1113->1130 1131 63c46af-63c46c1 1113->1131 1114->1113 1122 63c4b9e-63c4ba8 1115->1122 1123 63c4b98-63c4b9d 1115->1123 1120 63c473b 1116->1120 1121 63c4740-63c4764 1116->1121 1117->1116 1120->1121 1127 63c476b-63c479d 1121->1127 1128 63c4766 1121->1128 1123->1122 1136 63c479f 1127->1136 1137 63c47a4-63c47e6 1127->1137 1128->1127 1130->1109 1133 63c46c8 1131->1133 1134 63c46c3 1131->1134 1133->1107 1134->1133 1136->1137 1139 63c47ed-63c47f6 1137->1139 1140 63c47e8 1137->1140 1141 63c4a1e-63c4a24 1139->1141 1140->1139 1142 63c4a2a-63c4a3d 1141->1142 1143 63c47fb-63c4820 1141->1143 1146 63c4a3f 1142->1146 1147 63c4a44-63c4a5f 1142->1147 1144 63c4827-63c485e 1143->1144 1145 63c4822 1143->1145 1155 63c4865-63c4897 1144->1155 1156 63c4860 1144->1156 1145->1144 1146->1147 1148 63c4a66-63c4a7a 1147->1148 1149 63c4a61 1147->1149 1153 63c4a7c 1148->1153 1154 63c4a81-63c4a97 LdrInitializeThunk 1148->1154 1149->1148 1153->1154 1154->1115 1158 63c4899-63c48be 1155->1158 1159 63c48fb-63c490e 1155->1159 1156->1155 1160 63c48c5-63c48f3 1158->1160 1161 63c48c0 1158->1161 1162 63c4915-63c493a 1159->1162 1163 63c4910 1159->1163 1160->1159 1161->1160 1166 63c493c-63c493d 1162->1166 1167 63c4949-63c4981 1162->1167 1163->1162 1166->1142 1168 63c4988-63c49e9 call 63c4340 1167->1168 1169 63c4983 1167->1169 1175 63c49eb 1168->1175 1176 63c49f0-63c4a14 1168->1176 1169->1168 1175->1176 1179 63c4a1b 1176->1179 1180 63c4a16 1176->1180 1179->1141 1180->1179
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: e2817e4e0eeca3634ea8351c855cbfb7d7980487deeaa75f6c190e13d7e0bdfe
                                                        • Instruction ID: 903f57055891e8bb2d3bb58cd421670e94f0fe6af30689a1d6c3c7328a3eb996
                                                        • Opcode Fuzzy Hash: e2817e4e0eeca3634ea8351c855cbfb7d7980487deeaa75f6c190e13d7e0bdfe
                                                        • Instruction Fuzzy Hash: 2C91AE71E002198FEB58DFB5D8607AEBBF6BF84220F20852DE405EB295DB358C05CB90
                                                        Function 01072DD1 Relevance: .4, Instructions: 403COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2525 1072dd1-1072ded 2526 1072df6-1072e06 2525->2526 2527 1072def-1072df1 2525->2527 2529 1072e0d-1072e1d 2526->2529 2530 1072e08 2526->2530 2528 1073094-107309b 2527->2528 2532 1072e23-1072e31 2529->2532 2533 107307b-1073089 2529->2533 2530->2528 2536 1072e37 2532->2536 2537 107309c-1073182 2532->2537 2533->2537 2538 107308b-107308f call 10702a8 2533->2538 2536->2537 2539 1072f67-1072f8f 2536->2539 2540 1072ea2-1072ec3 2536->2540 2541 1073001-107302d 2536->2541 2542 107302f-107304a call 10702b8 2536->2542 2543 107306f-1073079 2536->2543 2544 1072eee-1072f0f 2536->2544 2545 107304c-107306d call 10718c8 2536->2545 2546 1072ec8-1072ee9 2536->2546 2547 1072fd6-1072ffc 2536->2547 2548 1072e55-1072e76 2536->2548 2549 1072f14-1072f35 2536->2549 2550 1072f94-1072fd1 2536->2550 2551 1072e3e-1072e50 2536->2551 2552 1072e7b-1072e9d 2536->2552 2553 1072f3a-1072f62 2536->2553 2607 1073184 2537->2607 2608 1073189-10732ac call 10716c8 call 10716d8 call 10716e8 call 10716f8 call 10702c4 2537->2608 2538->2528 2539->2528 2540->2528 2541->2528 2542->2528 2543->2528 2544->2528 2545->2528 2546->2528 2547->2528 2548->2528 2549->2528 2550->2528 2551->2528 2552->2528 2553->2528 2607->2608 2626 10732b2-10732d6 2608->2626 2628 10732e2 2626->2628 2629 10732d8-10732e1 2626->2629 2631 10732e3 2628->2631 2629->2628 2631->2631
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a9ef4f28d190fce74cf2ed614c59bc60a1a8feaa56967bb2c2d5c7f13c28b0de
                                                        • Instruction ID: 2143b6b4b004f4ddb92a567d9dec3e18b736127696e5deede461a3eca078b485
                                                        • Opcode Fuzzy Hash: a9ef4f28d190fce74cf2ed614c59bc60a1a8feaa56967bb2c2d5c7f13c28b0de
                                                        • Instruction Fuzzy Hash: E3E15D34F00319DFEB19DFB5D4546AEBBB2BF88310B148569E486AB348DE359801CB95
                                                        Function 063C9270 Relevance: .3, Instructions: 296COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2746 63c9270-63c9290 2747 63c9297-63c9359 2746->2747 2748 63c9292 2746->2748 2754 63c935f-63c937c 2747->2754 2755 63c9724-63c9822 2747->2755 2748->2747 2813 63c937f call 107a706 2754->2813 2814 63c937f call 107a3c0 2754->2814 2758 63c982a-63c9830 2755->2758 2759 63c9824-63c9829 2755->2759 2759->2758 2760 63c9384-63c93c6 call 63c4560 call 63c75a0 2766 63c93cd-63c93d6 2760->2766 2767 63c93c8 2760->2767 2768 63c9717-63c971d 2766->2768 2767->2766 2769 63c93db-63c9473 call 63c7720 * 3 call 63c7c20 2768->2769 2770 63c9723 2768->2770 2779 63c9479-63c94b5 2769->2779 2780 63c954b-63c95ac call 63c7720 2769->2780 2770->2755 2815 63c94bb call 63c98c5 2779->2815 2816 63c94bb call 63c98d0 2779->2816 2817 63c94bb call 63c9b31 2779->2817 2790 63c95ad-63c95bc 2780->2790 2788 63c94c1-63c94fc 2791 63c94fe-63c951b 2788->2791 2792 63c9546-63c9549 2788->2792 2794 63c95c5-63c9604 2790->2794 2795 63c9521-63c9545 2791->2795 2792->2790 2797 63c960a-63c96fa 2794->2797 2798 63c96fb-63c970d 2794->2798 2795->2792 2797->2798 2800 63c970f 2798->2800 2801 63c9714 2798->2801 2800->2801 2801->2768 2813->2760 2814->2760 2815->2788 2816->2788 2817->2788
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: abc846be6f56f83a54b8a256a33c4d6da1bf7113702bee9a861b3694fbf89842
                                                        • Instruction ID: b702f7450f472c56cbff7f12b2742f64f1f39d158ba78fc9fc6b749e6e45ac97
                                                        • Opcode Fuzzy Hash: abc846be6f56f83a54b8a256a33c4d6da1bf7113702bee9a861b3694fbf89842
                                                        • Instruction Fuzzy Hash: 12E1C174E01218CFEB64DFA5D894B9DBBB2BF89304F2081A9E409A7394DB355E85CF50
                                                        Function 01079E00 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2833 1079e00-1079e20 2834 1079e27-1079eb8 2833->2834 2835 1079e22 2833->2835 2839 1079ebe-1079ece 2834->2839 2840 107a20c-107a23e 2834->2840 2835->2834 2890 1079ed1 call 107a706 2839->2890 2891 1079ed1 call 107a3c0 2839->2891 2844 1079ed7-1079ee6 2892 1079ee8 call 63c4944 2844->2892 2893 1079ee8 call 63c4560 2844->2893 2894 1079ee8 call 63c4340 2844->2894 2845 1079eee-1079f0a 2847 1079f11-1079f1a 2845->2847 2848 1079f0c 2845->2848 2849 107a1ff-107a205 2847->2849 2848->2847 2850 1079f1f-1079f99 2849->2850 2851 107a20b 2849->2851 2856 107a055-107a0b0 2850->2856 2857 1079f9f-107a00d call 1074c84 2850->2857 2851->2840 2869 107a0b1-107a101 2856->2869 2867 107a050-107a053 2857->2867 2868 107a00f-107a04f 2857->2868 2867->2869 2868->2867 2874 107a107-107a1e9 2869->2874 2875 107a1ea-107a1f5 2869->2875 2874->2875 2877 107a1f7 2875->2877 2878 107a1fc 2875->2878 2877->2878 2878->2849 2890->2844 2891->2844 2892->2845 2893->2845 2894->2845
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b3b82484ab5799308c2e4616da59f133bba877816c4ffb81c17b2bf34f52bb11
                                                        • Instruction ID: a4679e71c9742e355bbe27020215c82cfddb9810a6d1a4141cc520c7b9bfd5b9
                                                        • Opcode Fuzzy Hash: b3b82484ab5799308c2e4616da59f133bba877816c4ffb81c17b2bf34f52bb11
                                                        • Instruction Fuzzy Hash: 92C1A074E00258CFEB54DFA5D994BADBBB2BF88304F2480A9D909AB354DB355E81CF50
                                                        Function 063CB470 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2895 63cb470-63cb490 2896 63cb497-63cb4ed 2895->2896 2897 63cb492 2895->2897 2898 63cb4f7-63cb528 2896->2898 2897->2896 2901 63cb52e-63cb577 call 63c4560 call 63c75a0 2898->2901 2902 63cb871-63cb8a3 2898->2902 2910 63cb57e-63cb587 2901->2910 2911 63cb579 2901->2911 2912 63cb864-63cb86a 2910->2912 2911->2910 2913 63cb58c-63cb602 call 63c7720 * 3 call 63c7c20 2912->2913 2914 63cb870 2912->2914 2923 63cb6bd-63cb717 call 63c7720 2913->2923 2924 63cb608-63cb675 call 63c98d0 2913->2924 2914->2902 2937 63cb718-63cb766 call 63ca6c8 * 2 2923->2937 2935 63cb6b8-63cb6bb 2924->2935 2936 63cb677-63cb6b7 2924->2936 2935->2937 2936->2935 2944 63cb76c-63cb84e 2937->2944 2945 63cb84f-63cb85a 2937->2945 2944->2945 2946 63cb85c 2945->2946 2947 63cb861 2945->2947 2946->2947 2947->2912
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cad938e45979425e57d63fc75e1e084e6db5b1b504de6da28147c792c8a5b24d
                                                        • Instruction ID: 114951eb31e8e546026a0f1eabdc2e778679eb141c6fdb756f5fb6ea4dbba5af
                                                        • Opcode Fuzzy Hash: cad938e45979425e57d63fc75e1e084e6db5b1b504de6da28147c792c8a5b24d
                                                        • Instruction Fuzzy Hash: A8C1B174E00258CFDB54DFA5D994BADBBB2BF88304F2080A9D809AB355DB359E85CF50
                                                        Function 0107A3C0 Relevance: .2, Instructions: 220COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: bb5569db4bb13476c602d84a804f7d5359156ad0e8475a6d26f151f658b280ff
                                                        • Instruction ID: d2dc4cb2755b0d596ab090d789ce4002ec09bc3ea4010c70e5581580d9c1e741
                                                        • Opcode Fuzzy Hash: bb5569db4bb13476c602d84a804f7d5359156ad0e8475a6d26f151f658b280ff
                                                        • Instruction Fuzzy Hash: FBA12570E00209CFEB24DFA8C848BDDBBB1FF88304F248269D559AB291DB759984CF54
                                                        Function 0107A706 Relevance: .2, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ffb1b76bb59e04e9af748b2c1e8f26fbcd7fc6af04ccdc73cff284396a17640c
                                                        • Instruction ID: 93d500a6c26a12ac6f2ed3cc6614a63130ed2570412955581369d06854a4a664
                                                        • Opcode Fuzzy Hash: ffb1b76bb59e04e9af748b2c1e8f26fbcd7fc6af04ccdc73cff284396a17640c
                                                        • Instruction Fuzzy Hash: 7491F374E00208CFEB24DFA8C848BDDBBB1FF48314F248299E549AB291DB759985CF54
                                                        Function 01079DEF Relevance: .1, Instructions: 106COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1d958918b65e3c95fa826e0472359e359b60b39cc5f35170df9b66c47b9df218
                                                        • Instruction ID: 88d8ca4b8af9e1a573123a31d881dfc2b63bcc2bea561cc0be1411fb7701506f
                                                        • Opcode Fuzzy Hash: 1d958918b65e3c95fa826e0472359e359b60b39cc5f35170df9b66c47b9df218
                                                        • Instruction Fuzzy Hash: 41410370E00248CFEB18CFBAD8546DEBBF2AF89304F24C16AD415AB294EB344945CF54
                                                        Function 063C4944 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1181 63c4944 1182 63c4a03-63c4a14 1181->1182 1183 63c4a1b-63c4a24 1182->1183 1184 63c4a16 1182->1184 1186 63c4a2a-63c4a3d 1183->1186 1187 63c47fb-63c4820 1183->1187 1184->1183 1190 63c4a3f 1186->1190 1191 63c4a44-63c4a5f 1186->1191 1188 63c4827-63c485e 1187->1188 1189 63c4822 1187->1189 1200 63c4865-63c4897 1188->1200 1201 63c4860 1188->1201 1189->1188 1190->1191 1192 63c4a66-63c4a7a 1191->1192 1193 63c4a61 1191->1193 1197 63c4a7c 1192->1197 1198 63c4a81-63c4a97 LdrInitializeThunk 1192->1198 1193->1192 1197->1198 1199 63c4a99-63c4b96 1198->1199 1203 63c4b9e-63c4ba8 1199->1203 1204 63c4b98-63c4b9d 1199->1204 1206 63c4899-63c48be 1200->1206 1207 63c48fb-63c490e 1200->1207 1201->1200 1204->1203 1208 63c48c5-63c48f3 1206->1208 1209 63c48c0 1206->1209 1211 63c4915-63c493a 1207->1211 1212 63c4910 1207->1212 1208->1207 1209->1208 1215 63c493c-63c493d 1211->1215 1216 63c4949-63c4981 1211->1216 1212->1211 1215->1186 1217 63c4988-63c49e9 call 63c4340 1216->1217 1218 63c4983 1216->1218 1224 63c49eb 1217->1224 1225 63c49f0-63c4a02 1217->1225 1218->1217 1224->1225 1225->1182
                                                        APIs
                                                        • LdrInitializeThunk.NTDLL(00000000), ref: 063C4A86
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID: InitializeThunk
                                                        • String ID:
                                                        • API String ID: 2994545307-0
                                                        • Opcode ID: 80d18ce810bb756eedcf9f2d69001d61636a238119a0fa5b706ad03a70ea8444
                                                        • Instruction ID: 45a7eadfb4b3cf3b828d269a8d07c9ee498081ed3fa33ceef10324f74261c1e3
                                                        • Opcode Fuzzy Hash: 80d18ce810bb756eedcf9f2d69001d61636a238119a0fa5b706ad03a70ea8444
                                                        • Instruction Fuzzy Hash: AB117278E001098FEB54DFA8D894AEDB7F5FB88325F148128E454E7242D730DD41CB94
                                                        Function 0107B277 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1227 107b277-107b27c 1228 107b27e-107b28b 1227->1228 1229 107b2dc-107b2f7 1227->1229 1228->1229 1232 107b4d3-107b4de 1229->1232 1233 107b2fd-107b2ff 1229->1233 1234 107b4e5-107b4f0 1232->1234 1233->1234 1235 107b305-107b309 1233->1235 1240 107b4f7-107b502 1234->1240 1235->1234 1236 107b30f-107b347 call 1074c94 1235->1236 1236->1240 1249 107b34d-107b351 1236->1249 1245 107b509-107b514 1240->1245 1250 107b51b-107b547 1245->1250 1251 107b353-107b357 1249->1251 1252 107b35d-107b361 1249->1252 1285 107b54e-107b57a 1250->1285 1251->1245 1251->1252 1253 107b363-107b36a 1252->1253 1254 107b36c-107b370 1252->1254 1256 107b388-107b38c 1253->1256 1254->1256 1257 107b372-107b376 1254->1257 1260 107b393-107b39a 1256->1260 1261 107b38e-107b390 1256->1261 1258 107b381 1257->1258 1259 107b378-107b37f 1257->1259 1258->1256 1259->1256 1263 107b3a3-107b3a7 1260->1263 1264 107b39c 1260->1264 1261->1260 1270 107b486-107b489 1263->1270 1271 107b3ad-107b3b1 1263->1271 1264->1263 1266 107b3f6-107b3f9 1264->1266 1267 107b425-107b428 1264->1267 1268 107b4c1-107b4cc 1264->1268 1269 107b458-107b45b 1264->1269 1276 107b404-107b423 1266->1276 1277 107b3fb-107b3fe 1266->1277 1272 107b433-107b456 1267->1272 1273 107b42a-107b42d 1267->1273 1268->1232 1274 107b462-107b481 1269->1274 1275 107b45d 1269->1275 1278 107b48b-107b48e 1270->1278 1279 107b499-107b4bc 1270->1279 1271->1268 1280 107b3b7-107b3ba 1271->1280 1299 107b3df-107b3e3 1272->1299 1273->1272 1273->1285 1274->1299 1275->1274 1276->1299 1277->1250 1277->1276 1278->1279 1281 107b490-107b493 1278->1281 1279->1299 1282 107b3c1-107b3dd 1280->1282 1283 107b3bc 1280->1283 1281->1279 1287 107b581-107b5f3 1281->1287 1282->1299 1283->1282 1285->1287 1311 107b655-107b6b9 1287->1311 1312 107b5f5-107b5f8 1287->1312 1334 107b3e6 call 107bad6 1299->1334 1335 107b3e6 call 107bad8 1299->1335 1303 107b3ec-107b3f3 1329 107b6c2-107b6d2 1311->1329 1330 107b6bb-107b6c0 1311->1330 1312->1311 1313 107b5fa-107b609 1312->1313 1316 107b621-107b625 1313->1316 1317 107b60b-107b611 1313->1317 1321 107b627-107b647 1316->1321 1322 107b64d-107b654 1316->1322 1319 107b615-107b617 1317->1319 1320 107b613 1317->1320 1319->1316 1320->1316 1321->1322 1331 107b6d7-107b6d8 1329->1331 1330->1331 1334->1303 1335->1303
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: da552395984e9211bb08543c7c3f2943861f3bc7b7815062523b0e08745a21bd
                                                        • Instruction ID: 6c1d62dd0ab94bf32c6bf571b9254f8deb2ef77656a8ec79db7cfb469d5b1abf
                                                        • Opcode Fuzzy Hash: da552395984e9211bb08543c7c3f2943861f3bc7b7815062523b0e08745a21bd
                                                        • Instruction Fuzzy Hash: 90A1C430B002059FEB669F78985826D7BE7FF85320F148259EA968B3D1CE358C41CBD5
                                                        Function 0107B2BE Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1336 107b2be-107b2f7 call 1074570 1341 107b4d3-107b4de 1336->1341 1342 107b2fd-107b2ff 1336->1342 1343 107b4e5-107b4f0 1341->1343 1342->1343 1344 107b305-107b309 1342->1344 1349 107b4f7-107b502 1343->1349 1344->1343 1345 107b30f-107b347 call 1074c94 1344->1345 1345->1349 1358 107b34d-107b351 1345->1358 1354 107b509-107b514 1349->1354 1359 107b51b-107b547 1354->1359 1360 107b353-107b357 1358->1360 1361 107b35d-107b361 1358->1361 1394 107b54e-107b57a 1359->1394 1360->1354 1360->1361 1362 107b363-107b36a 1361->1362 1363 107b36c-107b370 1361->1363 1365 107b388-107b38c 1362->1365 1363->1365 1366 107b372-107b376 1363->1366 1369 107b393-107b39a 1365->1369 1370 107b38e-107b390 1365->1370 1367 107b381 1366->1367 1368 107b378-107b37f 1366->1368 1367->1365 1368->1365 1372 107b3a3-107b3a7 1369->1372 1373 107b39c 1369->1373 1370->1369 1379 107b486-107b489 1372->1379 1380 107b3ad-107b3b1 1372->1380 1373->1372 1375 107b3f6-107b3f9 1373->1375 1376 107b425-107b428 1373->1376 1377 107b4c1-107b4cc 1373->1377 1378 107b458-107b45b 1373->1378 1385 107b404-107b423 1375->1385 1386 107b3fb-107b3fe 1375->1386 1381 107b433-107b456 1376->1381 1382 107b42a-107b42d 1376->1382 1377->1341 1383 107b462-107b481 1378->1383 1384 107b45d 1378->1384 1387 107b48b-107b48e 1379->1387 1388 107b499-107b4bc 1379->1388 1380->1377 1389 107b3b7-107b3ba 1380->1389 1408 107b3df-107b3e3 1381->1408 1382->1381 1382->1394 1383->1408 1384->1383 1385->1408 1386->1359 1386->1385 1387->1388 1390 107b490-107b493 1387->1390 1388->1408 1391 107b3c1-107b3dd 1389->1391 1392 107b3bc 1389->1392 1390->1388 1396 107b581-107b5f3 1390->1396 1391->1408 1392->1391 1394->1396 1420 107b655-107b6b9 1396->1420 1421 107b5f5-107b5f8 1396->1421 1443 107b3e6 call 107bad6 1408->1443 1444 107b3e6 call 107bad8 1408->1444 1412 107b3ec-107b3f3 1438 107b6c2-107b6d2 1420->1438 1439 107b6bb-107b6c0 1420->1439 1421->1420 1422 107b5fa-107b609 1421->1422 1425 107b621-107b625 1422->1425 1426 107b60b-107b611 1422->1426 1430 107b627-107b647 1425->1430 1431 107b64d-107b654 1425->1431 1428 107b615-107b617 1426->1428 1429 107b613 1426->1429 1428->1425 1429->1425 1430->1431 1440 107b6d7-107b6d8 1438->1440 1439->1440 1443->1412 1444->1412
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID: 0-3916222277
                                                        • Opcode ID: 4e52001029b7d030ea660f8d364bd07d81dd109cd7f3c4a50ece7a241c7957c7
                                                        • Instruction ID: a9158fb6ba9554c1964b280dcaca7612756f07c633bd55ef307e490768a55ff6
                                                        • Opcode Fuzzy Hash: 4e52001029b7d030ea660f8d364bd07d81dd109cd7f3c4a50ece7a241c7957c7
                                                        • Instruction Fuzzy Hash: 8B81E230B002059FDB669F78D85826E7BE6FF89320F144669E696CB390DE358C41CBD5
                                                        Function 010719B8 Relevance: .8, Instructions: 844COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1973 10719b8-1071a13 1977 1071a35-1071a84 1973->1977 1978 1071a15-1071a34 1973->1978 1982 1071a86-1071a8d 1977->1982 1983 1071a9f 1977->1983 1984 1071a96-1071a9d 1982->1984 1985 1071a8f-1071a94 1982->1985 1987 1071aa7 1983->1987 1986 1071aaa-1071abe 1984->1986 1985->1986 1989 1071ad4-1071adc 1986->1989 1990 1071ac0-1071ac7 1986->1990 1987->1986 1993 1071ade-1071ae2 1989->1993 1991 1071acd-1071ad2 1990->1991 1992 1071ac9-1071acb 1990->1992 1991->1993 1992->1993 1995 1071ae4-1071af9 1993->1995 1996 1071b42-1071b45 1993->1996 1995->1996 2003 1071afb-1071afe 1995->2003 1997 1071b47-1071b5c 1996->1997 1998 1071b8d-1071b93 1996->1998 1997->1998 2005 1071b5e-1071b62 1997->2005 2000 107268e 1998->2000 2001 1071b99-1071b9b 1998->2001 2008 1072693-1072c5f 2000->2008 2001->2000 2004 1071ba1-1071ba6 2001->2004 2006 1071b00-1071b02 2003->2006 2007 1071b1d-1071b3b call 10702a8 2003->2007 2009 107263c-1072640 2004->2009 2010 1071bac 2004->2010 2011 1071b64-1071b68 2005->2011 2012 1071b6a-1071b88 call 10702a8 2005->2012 2006->2007 2013 1071b04-1071b07 2006->2013 2007->1996 2015 1072647-107268d 2009->2015 2016 1072642-1072645 2009->2016 2010->2009 2011->1998 2011->2012 2012->1998 2013->1996 2018 1071b09-1071b1b 2013->2018 2016->2008 2016->2015 2018->1996 2018->2007
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c242430b36c0233cd50ae55b681d0e06ca5e850d0372e9a4c3f4fabd7ef35555
                                                        • Instruction ID: 9941f1658513d9e10adcdd82b7271856d77f758fe5f2ea32eb9176907c36c163
                                                        • Opcode Fuzzy Hash: c242430b36c0233cd50ae55b681d0e06ca5e850d0372e9a4c3f4fabd7ef35555
                                                        • Instruction Fuzzy Hash: 08620A36A143638BC7A68F61E8511EABBF0FFD5235728466FE1C085142D37C4B99CBA1
                                                        Function 0107CDC8 Relevance: .8, Instructions: 806COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2030 107cdc8-107d2b6 2105 107d2bc-107d2cc 2030->2105 2106 107d808-107d83d 2030->2106 2105->2106 2107 107d2d2-107d2e2 2105->2107 2111 107d83f-107d844 2106->2111 2112 107d849-107d867 2106->2112 2107->2106 2108 107d2e8-107d2f8 2107->2108 2108->2106 2110 107d2fe-107d30e 2108->2110 2110->2106 2113 107d314-107d324 2110->2113 2114 107d92e-107d933 2111->2114 2123 107d8de-107d8ea 2112->2123 2124 107d869-107d873 2112->2124 2113->2106 2116 107d32a-107d33a 2113->2116 2116->2106 2117 107d340-107d350 2116->2117 2117->2106 2119 107d356-107d366 2117->2119 2119->2106 2120 107d36c-107d37c 2119->2120 2120->2106 2122 107d382-107d392 2120->2122 2122->2106 2125 107d398-107d807 2122->2125 2130 107d901-107d90d 2123->2130 2131 107d8ec-107d8f8 2123->2131 2124->2123 2129 107d875-107d881 2124->2129 2140 107d8a6-107d8a9 2129->2140 2141 107d883-107d88e 2129->2141 2138 107d924-107d926 2130->2138 2139 107d90f-107d91b 2130->2139 2131->2130 2136 107d8fa-107d8ff 2131->2136 2136->2114 2138->2114 2139->2138 2150 107d91d-107d922 2139->2150 2142 107d8c0-107d8cc 2140->2142 2143 107d8ab-107d8b7 2140->2143 2141->2140 2152 107d890-107d89a 2141->2152 2146 107d934-107d940 2142->2146 2147 107d8ce-107d8d5 2142->2147 2143->2142 2154 107d8b9-107d8be 2143->2154 2157 107d942-107d94c 2146->2157 2158 107d981-107d990 2146->2158 2147->2146 2151 107d8d7-107d8dc 2147->2151 2150->2114 2151->2114 2152->2140 2159 107d89c-107d8a1 2152->2159 2154->2114 2161 107d961-107d980 2157->2161 2162 107d94e-107d95e 2157->2162 2165 107d9a3-107d9ae 2158->2165 2166 107d992-107d99d 2158->2166 2159->2114 2161->2158 2162->2161 2172 107d9b4-107da11 2165->2172 2173 107da7f-107daae 2165->2173 2166->2165 2171 107da26-107da78 2166->2171 2171->2173 2183 107da1a-107da23 2172->2183
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ed7613c1650d43aed32b104efea6c11f5cd97f2cd460da3f80fce8f03b2af374
                                                        • Instruction ID: 5ecd6f61a47a1cea1634a0f1573790aea2efac833b32c7a0ce49215e62b2a074
                                                        • Opcode Fuzzy Hash: ed7613c1650d43aed32b104efea6c11f5cd97f2cd460da3f80fce8f03b2af374
                                                        • Instruction Fuzzy Hash: E2622534A00219DFEB55EBE4C860BAEBBB2FF88301F1080A9D14A6B395CE355D55DF51
                                                        Function 0107DB08 Relevance: .4, Instructions: 415COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2409 107db08-107db32 call 107dab0 2413 107dbfb 2409->2413 2414 107db38-107db3d 2409->2414 2416 107dc00-107dc3f 2413->2416 2414->2413 2415 107db43-107db62 2414->2415 2419 107db64-107db6c 2415->2419 2420 107dbab-107dbb0 2415->2420 2421 107dc47-107dc4f 2416->2421 2422 107dc41-107dc44 2416->2422 2419->2413 2423 107db72-107db75 2419->2423 2523 107dbb2 call 107daf9 2420->2523 2524 107dbb2 call 107db08 2420->2524 2424 107dcb7-107dcbe 2421->2424 2425 107dc51-107dc57 2421->2425 2422->2421 2423->2413 2427 107db7b-107db9a 2423->2427 2428 107dcc4-107dccb 2424->2428 2429 107ddc3-107ddcc 2424->2429 2425->2424 2430 107dc59-107dc5f 2425->2430 2426 107dbb8-107dbbf 2431 107dbc1-107dbc7 2426->2431 2432 107dbee-107dbf8 2426->2432 2427->2413 2454 107db9c-107dba2 2427->2454 2436 107dcd1-107dcd9 2428->2436 2437 107dd7a-107dd80 2428->2437 2434 107ddd6-107ddd9 2429->2434 2435 107ddce-107ddd4 2429->2435 2438 107dc65-107dc72 2430->2438 2439 107dee9-107df1f 2430->2439 2431->2416 2440 107dbc9-107dbe6 2431->2440 2442 107dee4 2434->2442 2443 107dddf-107dded 2434->2443 2435->2434 2441 107ddf0-107ddf4 2435->2441 2436->2442 2444 107dcdf-107dce8 2436->2444 2437->2439 2446 107dd86-107dd90 2437->2446 2438->2439 2445 107dc78-107dc89 2438->2445 2469 107df21-107df2c 2439->2469 2470 107df2e-107df32 2439->2470 2440->2432 2449 107de77-107de7b 2441->2449 2450 107ddfa-107de03 2441->2450 2442->2439 2443->2441 2444->2439 2448 107dcee-107dd21 2444->2448 2521 107dc8c call 107daf9 2445->2521 2522 107dc8c call 107db08 2445->2522 2446->2439 2453 107dd96-107ddb2 2446->2453 2494 107dd23 2448->2494 2495 107dd6b-107dd78 2448->2495 2456 107de7d-107de86 2449->2456 2457 107deda-107dee1 2449->2457 2450->2449 2458 107de05-107de0b 2450->2458 2485 107ddba-107ddbd 2453->2485 2454->2416 2460 107dba4-107dba8 2454->2460 2456->2442 2462 107de88-107de8f 2456->2462 2458->2439 2463 107de11-107de1b 2458->2463 2460->2420 2462->2457 2467 107de91 2462->2467 2463->2439 2468 107de21-107de2e 2463->2468 2476 107de94-107de9c 2467->2476 2468->2439 2477 107de34-107de5f 2468->2477 2469->2470 2473 107df44 2470->2473 2474 107df34-107df42 2470->2474 2471 107dc92-107dca0 2471->2442 2484 107dca6-107dca9 2471->2484 2480 107df46-107df48 2473->2480 2474->2480 2481 107ded0-107ded3 2476->2481 2482 107de9e-107deaa 2476->2482 2477->2439 2512 107de65-107de6d 2477->2512 2486 107df4e-107df56 2480->2486 2487 107df4a-107df4c 2480->2487 2481->2442 2488 107ded5-107ded8 2481->2488 2482->2439 2490 107deac-107dec8 2482->2490 2484->2442 2491 107dcaf-107dcb5 2484->2491 2485->2429 2485->2442 2492 107df79-107df7b 2486->2492 2493 107df58-107df6a 2486->2493 2487->2486 2488->2457 2488->2476 2490->2481 2491->2424 2491->2425 2499 107df7d-107df8a call 107c9d0 2492->2499 2500 107dfa9-107dfad 2492->2500 2493->2492 2509 107df6c-107df77 2493->2509 2496 107dd26-107dd2c 2494->2496 2495->2485 2496->2439 2501 107dd32-107dd53 2496->2501 2499->2500 2510 107df8c-107df9b 2499->2510 2508 107dfb5-107dfba 2500->2508 2501->2442 2518 107dd59-107dd5d 2501->2518 2509->2492 2510->2500 2517 107df9d-107dfa7 2510->2517 2512->2442 2513 107de6f-107de75 2512->2513 2513->2449 2513->2458 2517->2500 2518->2442 2519 107dd63-107dd69 2518->2519 2519->2495 2519->2496 2521->2471 2522->2471 2523->2426 2524->2426
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4dde1a8c2aca072a1d60b84ff5dda67bc45fd6a2061a0560befe8c5c0291af72
                                                        • Instruction ID: 63b9a08731d1796c97d85d2c3e47de030fc3f68f22d40bba9329760698f82c07
                                                        • Opcode Fuzzy Hash: 4dde1a8c2aca072a1d60b84ff5dda67bc45fd6a2061a0560befe8c5c0291af72
                                                        • Instruction Fuzzy Hash: ABF13C75E00215CFDB05DFACD8849ADBBF6BF88310B1A84A9E555AB361CB31EC41CB94
                                                        Function 01074E6D Relevance: .3, Instructions: 293COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 2818 1074e6d-1075092 2820 1075094 2818->2820 2821 1075099-107509a call 10751e0 2818->2821 2820->2821 2822 10750a0-10750b5 2821->2822 2826 10750bc 2822->2826 2830 10750bd call 1079d32 2826->2830 2831 10750bd call 1079b9f 2826->2831 2827 10750c3 2828 10750ca 2827->2828 2829 10750d1-10750d4 2828->2829 2830->2827 2831->2827
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 82ba7cc98061fff0a0f49d3c7298d40fef8ede996a69a5d221d919ca2937aae8
                                                        • Instruction ID: 0a5d6b593779bd3fe349291e4f369365c5f1232c883cfeb537412a0eaad10401
                                                        • Opcode Fuzzy Hash: 82ba7cc98061fff0a0f49d3c7298d40fef8ede996a69a5d221d919ca2937aae8
                                                        • Instruction Fuzzy Hash: C0F01C714153828FD3212B74A8BC27A7F75EF4F3137442C80E0CACA02ADB2E5445CB55
                                                        Function 0107C2C8 Relevance: .2, Instructions: 217COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 7b535ed016d80a8300a9e18d1af96e9159d6eb3b9a72ac506108e2591310c2ed
                                                        • Instruction ID: 5f382ae72b1b9f9d08da4dbf38d0dc8aab2beb8cbf130831a911b7adace4fc23
                                                        • Opcode Fuzzy Hash: 7b535ed016d80a8300a9e18d1af96e9159d6eb3b9a72ac506108e2591310c2ed
                                                        • Instruction Fuzzy Hash: 3161F472B002069FE764CB7DD880AAFBBF9FBC9320B14856EE595C7640D630D9018BA4
                                                        Function 01070B20 Relevance: .2, Instructions: 210COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 96a6981db274cfce6317790a6bfd9c426347c03469b947b0e8b337bd7f9c18b7
                                                        • Instruction ID: ab2f71214dc430486927bcfc784db457f7245140873b5ed7503343e1c2277f2b
                                                        • Opcode Fuzzy Hash: 96a6981db274cfce6317790a6bfd9c426347c03469b947b0e8b337bd7f9c18b7
                                                        • Instruction Fuzzy Hash: 16A1FB74A00289CFCF05EFB4E894A9DBBB5FB49309B118629E445EB369DB346D45CF80
                                                        Function 01070B30 Relevance: .2, Instructions: 200COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f646daef9267a11190b2432aef465c65c9ec24b6f3dc059ed9d5b9bfbf9e7db3
                                                        • Instruction ID: ca70206d4c5b37ef1f2a6bd789f5dc7c3a102423156dd2e74e691d5098f74471
                                                        • Opcode Fuzzy Hash: f646daef9267a11190b2432aef465c65c9ec24b6f3dc059ed9d5b9bfbf9e7db3
                                                        • Instruction Fuzzy Hash: 91A1FA74A00289CFCF15EFB4E894A9DBBB5FB49309B118629E405EB369DB346D45CF80
                                                        Function 0107CA78 Relevance: .2, Instructions: 191COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8a696882867b00930e3ef8b68889378c027e764678a726bce36b62d43b09ca22
                                                        • Instruction ID: 98bc3f44efcd6b73be45ed7ad7c154b4ad77297a32924bcf0ff7b612e4cdda54
                                                        • Opcode Fuzzy Hash: 8a696882867b00930e3ef8b68889378c027e764678a726bce36b62d43b09ca22
                                                        • Instruction Fuzzy Hash: 9851B331B045168FE754DF3DCA84A7A7BE9FF8861070544AAF586CB261EB31EC019B54
                                                        Function 0107BAD8 Relevance: .2, Instructions: 166COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a85c3b0c9537b346cb991c9e1695531d153a61c34ab1c0a4fd98598195424e6d
                                                        • Instruction ID: 30f9a6ca661c56027d4db40cd118c4590c22574517f97106ef4f23f96fbb1a35
                                                        • Opcode Fuzzy Hash: a85c3b0c9537b346cb991c9e1695531d153a61c34ab1c0a4fd98598195424e6d
                                                        • Instruction Fuzzy Hash: A0514835A002088FDB15DBA8C494EEEBBF6FF88320F155095E541EB3A1CA71EC41CBA4
                                                        Function 01079B9F Relevance: .1, Instructions: 127COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cff109507095865208a33b0e2912e253008ed0a91c289b078b12572b4dca2407
                                                        • Instruction ID: 1a12a4a207cf6e0c3fa19aea6c50cb305bb05eca6014dfe9a96ea2a0d6118f4a
                                                        • Opcode Fuzzy Hash: cff109507095865208a33b0e2912e253008ed0a91c289b078b12572b4dca2407
                                                        • Instruction Fuzzy Hash: 364136300363878FD3212B34A5AC16ABF7AEF1B31BF092C49E29BC5511DB201468DBA5
                                                        Function 010746A0 Relevance: .1, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0835e72332bc3e7ceec127abd319b4d04c906f6e08f6bfb0e14071b5e375f12f
                                                        • Instruction ID: 2bc91c465834a3a69c9ccf672c374dca5348ed628833f6ca73fe6ee8f84d554b
                                                        • Opcode Fuzzy Hash: 0835e72332bc3e7ceec127abd319b4d04c906f6e08f6bfb0e14071b5e375f12f
                                                        • Instruction Fuzzy Hash: 1651C274E00248CFDB58DFA9D494A9DBBF2BF89301F248069E855EB368DB349846CF54
                                                        Function 01072C78 Relevance: .1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 44576a889556b1a227ef3cb8300829b179be2059a9664c84ce606157a0f49f0a
                                                        • Instruction ID: 57b3db1f5d73058da7788de4ae43ddebfc8e692808617adecbb7a15ea88307fa
                                                        • Opcode Fuzzy Hash: 44576a889556b1a227ef3cb8300829b179be2059a9664c84ce606157a0f49f0a
                                                        • Instruction Fuzzy Hash: FB314431F043198BEF695ABA48A427E6BE6BFC4240F18807ED883C3384DF798C448759
                                                        Function 0107BFF0 Relevance: .1, Instructions: 118COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5b562212f765aca7c5b812342c90613525aad23575e2414a7298f2587dc2db94
                                                        • Instruction ID: 8d952834be7676a85bd88af80f44c1e3f67b7ccd6c204eac15415db42769d4ae
                                                        • Opcode Fuzzy Hash: 5b562212f765aca7c5b812342c90613525aad23575e2414a7298f2587dc2db94
                                                        • Instruction Fuzzy Hash: F631D530B0020A9FDB15EB74D854AAF7BE6AF89200F1444B9E549DB351DE318D12C7D0
                                                        Function 0107C888 Relevance: .1, Instructions: 110COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 57d101da8b97a083322880d82766588d15dd7a634e211b52452165ec76a4aa68
                                                        • Instruction ID: f297c82f341114460b00ae906d574e2a583755c9e968f540c26e88bcd82e1380
                                                        • Opcode Fuzzy Hash: 57d101da8b97a083322880d82766588d15dd7a634e211b52452165ec76a4aa68
                                                        • Instruction Fuzzy Hash: D1414A74A00106DFEB55DF28D948AAE7BB6BB48310F1500A9E946CB3A1CB31DD90CB90
                                                        Function 01073168 Relevance: .1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a0bd813bd786a6d230d585b8549fc76f79f729bd67355aa4272f43ac644a6cdd
                                                        • Instruction ID: 898547cfbc06853ed728076a197dd53a71b722275c5420bba1d9da9db2980df2
                                                        • Opcode Fuzzy Hash: a0bd813bd786a6d230d585b8549fc76f79f729bd67355aa4272f43ac644a6cdd
                                                        • Instruction Fuzzy Hash: 8841A274E012489FDB08DFAAD88499DBBF6BF89300F249529E805BB364DB355845CF14
                                                        Function 0107BBB1 Relevance: .1, Instructions: 101COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: dfb7a33f3a79c84e06b94fe952b5ba1872f47c9f68e17642b6cfd54c96d71ec6
                                                        • Instruction ID: 54c5a84788cdf60abd9af85282d1e869303bc3bef222d32292900b8a675ed438
                                                        • Opcode Fuzzy Hash: dfb7a33f3a79c84e06b94fe952b5ba1872f47c9f68e17642b6cfd54c96d71ec6
                                                        • Instruction Fuzzy Hash: 4331E575B002098FDB45EBA8C490EDDBBB2BF88220F195594E501AF361DE71EC85CBA5
                                                        Function 0107BBE5 Relevance: .1, Instructions: 100COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 006488093412a6cbe4ee40cbe16a0fb247803538b7560a882157b3b93ee7414b
                                                        • Instruction ID: 69c98099060abd72473add2df1fcdda4a78e506795987a16baaacf1f5593d874
                                                        • Opcode Fuzzy Hash: 006488093412a6cbe4ee40cbe16a0fb247803538b7560a882157b3b93ee7414b
                                                        • Instruction Fuzzy Hash: 79310835B002098FDB45EBA8C490EDDBBB2BF88220F155594E501EF361DE71EC81CBA5
                                                        Function 0107CCAA Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fca54b187d20134c956d6b863ada0d504a277eeef02d2653323fca05effd3efa
                                                        • Instruction ID: ce8a8623322422e45612ec5f267b5d9645a2e62abb61f0389b96eb0cdf3a1569
                                                        • Opcode Fuzzy Hash: fca54b187d20134c956d6b863ada0d504a277eeef02d2653323fca05effd3efa
                                                        • Instruction Fuzzy Hash: AD2128307042428BFB663739896457E3FDBAFCA20070880BAE582DB356EE35CC029395
                                                        Function 0107DAF9 Relevance: .1, Instructions: 92COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 31ec4ae1fbd01970daa210df5eb82f0a8432cc4001039a093c22531fc50409f8
                                                        • Instruction ID: b387ec303ff84e2ac2d25e4d4325bfb227b693eafafedacaf979f44353512187
                                                        • Opcode Fuzzy Hash: 31ec4ae1fbd01970daa210df5eb82f0a8432cc4001039a093c22531fc50409f8
                                                        • Instruction Fuzzy Hash: 5B315E70E006059FCB04DFACC8849EEBBB6BF89310B158159E555DB3A1CB34AC42CB94
                                                        Function 0107C132 Relevance: .1, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0522b86e203625e0c951610ead5eb17de26067363f29c7bab2143e10568f070a
                                                        • Instruction ID: f2e215649835d1dd739fc5367847655192bf613a6be217de0700d963e0fb4752
                                                        • Opcode Fuzzy Hash: 0522b86e203625e0c951610ead5eb17de26067363f29c7bab2143e10568f070a
                                                        • Instruction Fuzzy Hash: 88312530A05246DFD716DF78D860A6EBBB6FF8A210F1480AED4858B352CE319D56C7A1
                                                        Function 0107CCB8 Relevance: .1, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4d4ab5c0f818a9719bf268e7684bf1b69d5ab99a8d82905b02b5a1be8c122a46
                                                        • Instruction ID: 5bf20cccf87a473f71be2692cfe21dafafd5fca57609cf11d6f48e957aad1f00
                                                        • Opcode Fuzzy Hash: 4d4ab5c0f818a9719bf268e7684bf1b69d5ab99a8d82905b02b5a1be8c122a46
                                                        • Instruction Fuzzy Hash: 7021B3307042028BFB56362AC96467E3BD7AFC5715F1880B9D582CB399EE76CC429385
                                                        Function 0107CBC0 Relevance: .1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: db19deff725c6cc70290f032f8e095bbcf90af508ad0463f8be29c3df6d5bc27
                                                        • Instruction ID: ba9252fe3f686e4735ce3230d060ff6f19bda0d92d450bf0bbbe059a6c9d98cf
                                                        • Opcode Fuzzy Hash: db19deff725c6cc70290f032f8e095bbcf90af508ad0463f8be29c3df6d5bc27
                                                        • Instruction Fuzzy Hash: E421D631B0424E8FFB15CE699E407BF7FEAAB85200F054466F981D7244DB70DC808764
                                                        Function 010718C8 Relevance: .1, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 079df9658d293c7ce13bccfcac108afeb71cb8ed1643d34e91e7319fe2398afa
                                                        • Instruction ID: f238060a9765c7365b9601158ab38182496b4d421c129fa63226c854cf97eb67
                                                        • Opcode Fuzzy Hash: 079df9658d293c7ce13bccfcac108afeb71cb8ed1643d34e91e7319fe2398afa
                                                        • Instruction Fuzzy Hash: 6121C131E00206DFDB55DB78C4809AE37A9EB88760F20C459E849DB290DB31EE0ACB91
                                                        Function 0107FEF0 Relevance: .1, Instructions: 75COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b586475a1503202ec4418c4e7b5824694cb88105e30c55859b47d23c66e37c38
                                                        • Instruction ID: b3332a99d72eeeb920f02408b729c54844848b0c5d935284f070545d4b2dfce8
                                                        • Opcode Fuzzy Hash: b586475a1503202ec4418c4e7b5824694cb88105e30c55859b47d23c66e37c38
                                                        • Instruction Fuzzy Hash: F22193767041069F9745DF1DE4508AAFBEAFFC9264718C06EE549C7341EE32E806C7A0
                                                        Function 01079D32 Relevance: .1, Instructions: 73COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: f069cdfc665040ad32b9034c18333f05ca1d319684e28e0cc52180a3114813cc
                                                        • Instruction ID: cc634d02166aec653bdd8c2a94d08b6849cd917e8821f66721c88a7cb1aa2e4c
                                                        • Opcode Fuzzy Hash: f069cdfc665040ad32b9034c18333f05ca1d319684e28e0cc52180a3114813cc
                                                        • Instruction Fuzzy Hash: 9021AC70C1024ADFDB01EFB8D4987AEBFB6FF06306F008999D05AAB255DB304A04CB81
                                                        Function 0101D030 Relevance: .1, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728323744.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_101d000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a5c53db1a50b1df8be3db8901bacd268910b207aa169e7c6bd44c36defa9c07e
                                                        • Instruction ID: eb779764b8ae19b563f1acf24f09d37e05ca8dd3d9b0ca8c154d8196d09aa92a
                                                        • Opcode Fuzzy Hash: a5c53db1a50b1df8be3db8901bacd268910b207aa169e7c6bd44c36defa9c07e
                                                        • Instruction Fuzzy Hash: 70214971504300DFDB16DF94D9C8B26BBA1FB84314F20C5ADE8890B25AC33AD447CB62
                                                        Function 01070EC8 Relevance: .1, Instructions: 70COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ecf770380b77035c9a257550228ee0db301c8127553948f435a39c650d4d0850
                                                        • Instruction ID: 167a214bc2beece85d995b7e74a9037c9583ac97e29bfdbd306bcedcf57f061d
                                                        • Opcode Fuzzy Hash: ecf770380b77035c9a257550228ee0db301c8127553948f435a39c650d4d0850
                                                        • Instruction Fuzzy Hash: 61219D74E04249DFE706EFB8C4106AEBBB2FF86304F00C5A998849B398CB745905CF42
                                                        Function 0107BE71 Relevance: .1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 866945a406878905ab5f5dbaeb4d7e2aaf92af39cc5a848a7e02cf58339b391e
                                                        • Instruction ID: 7ac3de542e8a16eda844841a795b9664f9e6d3cdc3a978a9fe76c8fb384812ee
                                                        • Opcode Fuzzy Hash: 866945a406878905ab5f5dbaeb4d7e2aaf92af39cc5a848a7e02cf58339b391e
                                                        • Instruction Fuzzy Hash: A5117C357042008FC751CF69E494A66BBE2FF89711B1588AAE286CB762CA71EC04CB11
                                                        Function 010717B8 Relevance: .1, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: da7bc52ebd009c89b467304365fd2e784b1353562bf3b1c652fdc78b4f45a1e3
                                                        • Instruction ID: c28e9c97cda8447ac323a36cd0a6a2aa54b2aa55a4746a17438c90890d0a7276
                                                        • Opcode Fuzzy Hash: da7bc52ebd009c89b467304365fd2e784b1353562bf3b1c652fdc78b4f45a1e3
                                                        • Instruction Fuzzy Hash: A6210370C0524A8FCB41DFB8C8941EEBFB0FF0A204F1441AAD485E6265EB355A89CBA1
                                                        Function 0107C240 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6360fb3502855145feaf30fb817afe6c025d6822eba347bd5737ffc01cfb65e6
                                                        • Instruction ID: 658fcc991547c9f17e8186151e9fb19538ae2148702c54e1020dcb082852da90
                                                        • Opcode Fuzzy Hash: 6360fb3502855145feaf30fb817afe6c025d6822eba347bd5737ffc01cfb65e6
                                                        • Instruction Fuzzy Hash: 370145312083949FDB276B78981486F7FEAEF866107144497E189CB242CA248C02DBF6
                                                        Function 0107C460 Relevance: .1, Instructions: 57COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5df96e35069c2e8d6b3820dcada0dd2381de633bdf7fce73a3391fb91ac6d5f4
                                                        • Instruction ID: 93083868c675a1635a46a6338dc7340599f6ae84db3f71989493aa444b7cffe4
                                                        • Opcode Fuzzy Hash: 5df96e35069c2e8d6b3820dcada0dd2381de633bdf7fce73a3391fb91ac6d5f4
                                                        • Instruction Fuzzy Hash: 38115E31E002168FEB64EFB8D6446AEBBF6BB88650B454179C655E3200EF31DC418BE9
                                                        Function 01075202 Relevance: .1, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a3c785f90f4de7cf49bb73f79599d91a0a4299559033653aec88084cc5ac93fd
                                                        • Instruction ID: 9f1c972e35c948e3694716959386d215c200e0d653240122618f56c13101eb7b
                                                        • Opcode Fuzzy Hash: a3c785f90f4de7cf49bb73f79599d91a0a4299559033653aec88084cc5ac93fd
                                                        • Instruction Fuzzy Hash: 4B012232F043104FCB249BBC486457E7FEBEFC6A2030484AAD845CB222EF30C8029754
                                                        Function 0101D02B Relevance: .1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728323744.000000000101D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0101D000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_101d000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                        • Instruction ID: 98d28eaf1eb56cd1785f9be7a88597d7557f8fc3a93ec27947518b88ebd092dd
                                                        • Opcode Fuzzy Hash: 04b342587f02f4df216fd9fa4589941a60fabf0b5787ec5e4e812599987ae7f8
                                                        • Instruction Fuzzy Hash: 7911BE75504280DFCB12CF54D5C4B15BBA2FB84314F24C6AAE8894B657C33AD44ACB61
                                                        Function 01075210 Relevance: .0, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 81ff373a5b878ef84069ceb7831ff0e47105e873f9fb69707bb3192f5bbe13c7
                                                        • Instruction ID: 2d8ebd8431a58e7dc17b4ae02f66e12130f7afe0130a0d4bc55686543a74e8ed
                                                        • Opcode Fuzzy Hash: 81ff373a5b878ef84069ceb7831ff0e47105e873f9fb69707bb3192f5bbe13c7
                                                        • Instruction Fuzzy Hash: 8B01D632F043144FDB24ABBD986857E7AEBAFC5A207144479E909C7215FF71C80147A4
                                                        Function 0107A840 Relevance: .0, Instructions: 48COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8081ab77cc172617709408bc95cd05ac710399283e299eb54d70d4059c6e06d2
                                                        • Instruction ID: 733089fa9b0b09e504b397e75bd68533dc93b5035259b5b1cf3ebd2b70dee2ba
                                                        • Opcode Fuzzy Hash: 8081ab77cc172617709408bc95cd05ac710399283e299eb54d70d4059c6e06d2
                                                        • Instruction Fuzzy Hash: 22018C36A00119EFCB60DF78E8849AFBBF5FB88320B144569E95AD3200D7308911CBA1
                                                        Function 0107A850 Relevance: .0, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 5f2626a386ef40e6df84eae53fe3d408e0685c2b5466805cdfd7df227c3c6ff1
                                                        • Instruction ID: 85f1ca4069fcbc23677bcadb6e353cdf31d3a9072094ffa7a82e8bc37f69e051
                                                        • Opcode Fuzzy Hash: 5f2626a386ef40e6df84eae53fe3d408e0685c2b5466805cdfd7df227c3c6ff1
                                                        • Instruction Fuzzy Hash: 52015275E1010AEFDB649F78D844AAFBBBAFB88310F004539EA1693240DB3089118BA1
                                                        Function 0107C4F7 Relevance: .0, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 09a780e2c08702f7f32a634b94684d6c1debd7073c7a595e745675153381d646
                                                        • Instruction ID: e8b5cc6d50a9de70bbe57fd19eca264a7a59d000ac4f8dc4be5436988ba4ce2d
                                                        • Opcode Fuzzy Hash: 09a780e2c08702f7f32a634b94684d6c1debd7073c7a595e745675153381d646
                                                        • Instruction Fuzzy Hash: A2F0C832B042515FC7155B6DA4105ABBBFADFC562071500ABE584CB352CA31D802CBA4
                                                        Function 0107FEE0 Relevance: .0, Instructions: 43COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 753c6074bb1c8642ba7ae44a81a6670d64f361847a6cdc5dca859daffaa9d539
                                                        • Instruction ID: 16e1b115d4f814ee491e2f1ff923df3820a045b10fafe5892d627d67c662b768
                                                        • Opcode Fuzzy Hash: 753c6074bb1c8642ba7ae44a81a6670d64f361847a6cdc5dca859daffaa9d539
                                                        • Instruction Fuzzy Hash: D5F0F432B001156F8741DE3D98404BBBBEEEBC9254714C06AE449C3341DE31D80287E0
                                                        Function 0107BF80 Relevance: .0, Instructions: 42COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fbaf33f08bc9dbf9d30128478dec4e5f2ad57da0ed254723fe09484a6ee34588
                                                        • Instruction ID: 3c0e8d7aa3b640598c02597a6b528c6e52976f7b16a371ff6d0ad599ea87f141
                                                        • Opcode Fuzzy Hash: fbaf33f08bc9dbf9d30128478dec4e5f2ad57da0ed254723fe09484a6ee34588
                                                        • Instruction Fuzzy Hash: C7F0F230B093925FC7535778D91855D7FAA9F47740B0544E6F681CB693C8359C04C7B2
                                                        Function 0107BD31 Relevance: .0, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0275ed8119bf2fa4d8b3b8e45ee7c6e999dc44ac2f7ab8e195534edd1556850e
                                                        • Instruction ID: 1d562838dfb3098fb03648cb848a09c15d4915274fd912130fa143397014428d
                                                        • Opcode Fuzzy Hash: 0275ed8119bf2fa4d8b3b8e45ee7c6e999dc44ac2f7ab8e195534edd1556850e
                                                        • Instruction Fuzzy Hash: A3F0AF71904248AFDB60EFA9C8809AFFBF5FF4C350710492AD5C4D3201DA30A911DBA5
                                                        Function 0107BF38 Relevance: .0, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: eef2c13be471602068b83a9387343aafb14b21c9bc7a5991266038ba55be5422
                                                        • Instruction ID: 1b883ee1f56eb5fe14e16a5703ddb51def1f3ef7166661f2e800084440241dac
                                                        • Opcode Fuzzy Hash: eef2c13be471602068b83a9387343aafb14b21c9bc7a5991266038ba55be5422
                                                        • Instruction Fuzzy Hash: 39F090353102108FC310EF68E498D56BBB5EF8A72071144A6E685CB262CB61EC01CB90
                                                        Function 0107C1F0 Relevance: .0, Instructions: 33COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c22d2b211d97493f5b9ff1c87a1bd3809be514f0b9bbe3e5738e88832254902b
                                                        • Instruction ID: 14cfb327cac81913694e4d835ab3bc1d89770a7625c67122fe732aed84990f81
                                                        • Opcode Fuzzy Hash: c22d2b211d97493f5b9ff1c87a1bd3809be514f0b9bbe3e5738e88832254902b
                                                        • Instruction Fuzzy Hash: 4FF05E35301106DFD710CF59D488D5ABBEAFF88720B548169FA0987331CB71AC52CB84
                                                        Function 0107BF70 Relevance: .0, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: df232493f77ba51d9f13e460c477bd55b03ca24ccc2e12a5ba49f5274795fa3f
                                                        • Instruction ID: ec66705c5a19b7076033d3c8b483a2eb41b4a859d81628a4f0cace83230d5e85
                                                        • Opcode Fuzzy Hash: df232493f77ba51d9f13e460c477bd55b03ca24ccc2e12a5ba49f5274795fa3f
                                                        • Instruction Fuzzy Hash: C2E09239A152528FD7A0BB7CD695869BFE1EF5675071448ABEA80C7221D531DC008B90
                                                        Function 01075088 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 2231abecda06718242ec2b890ae10fb36f18291c191df8c481a42021676bd424
                                                        • Instruction ID: dafe325049be24c54661ccc07c9b4ea129ed3a0fa03419ea84ecd3a583be9612
                                                        • Opcode Fuzzy Hash: 2231abecda06718242ec2b890ae10fb36f18291c191df8c481a42021676bd424
                                                        • Instruction Fuzzy Hash: F2E002754613068FD3242B64B9BC27E7A79FB8F317B442D04E18EC9029DB7E54448B95
                                                        Function 0107BAD6 Relevance: .0, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 523a675b6ee6eda644da95d56b638114d6994cbfa94e7a425ccab67f751a6f89
                                                        • Instruction ID: 406da8c08f7d109d9ef4d02b952be000dbfd3678ad148405b5df02aa1e5f63f2
                                                        • Opcode Fuzzy Hash: 523a675b6ee6eda644da95d56b638114d6994cbfa94e7a425ccab67f751a6f89
                                                        • Instruction Fuzzy Hash: CBE01A32701220AB87249A5AD444C6ABBADEF8AA6531900AAE645C7221CA619C01C6D0
                                                        Function 01071877 Relevance: .0, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 27915a5757ea9063f4c11ccb2b5689d86205b5feb3fdf7c2896bd5586d7b0f1b
                                                        • Instruction ID: 753f60eaa0692362083d05dfbe3fa11dacab06612004749690cde69394114195
                                                        • Opcode Fuzzy Hash: 27915a5757ea9063f4c11ccb2b5689d86205b5feb3fdf7c2896bd5586d7b0f1b
                                                        • Instruction Fuzzy Hash: F9E02035D502168FCB01D7F49C110DD7F74BD822517588253C4A477051FB30211FD7A1
                                                        Function 01071888 Relevance: .0, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 32d79534d1c3fc97b657cb34e1db99c4f7d91122f2f27073fef0e95714c6f883
                                                        • Instruction ID: a7925a47f84833d748cca345b0d4b124d72dd65a835aba162b19291c4699523a
                                                        • Opcode Fuzzy Hash: 32d79534d1c3fc97b657cb34e1db99c4f7d91122f2f27073fef0e95714c6f883
                                                        • Instruction Fuzzy Hash: D8D01732D2022A979B10AAA9DC048EEBB38EE96621B908626D52437140EB70265986B1
                                                        Function 0107C2A0 Relevance: .0, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 248bcc89322a35386f0b44f570bd83a8be1a637a7dc9d9bf57b93e86338169af
                                                        • Instruction ID: e1bbb4ac0845bcc225b9f48bf20b53495cec5985e4bc2baf5b70badb4d67087a
                                                        • Opcode Fuzzy Hash: 248bcc89322a35386f0b44f570bd83a8be1a637a7dc9d9bf57b93e86338169af
                                                        • Instruction Fuzzy Hash: 06D0C737310114A74B152A49A404CAE7B5FDBCD771704C02AFA1583310CE754D1297E5
                                                        Function 0107325B Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 169eae33c266ad1b54dc7005ecea0a92714602bc2f603f9b5ac0975c98768b2d
                                                        • Instruction ID: bb6ee32019f0a83019f708f65abb0d7688946cc7f8812028cf51305238002f43
                                                        • Opcode Fuzzy Hash: 169eae33c266ad1b54dc7005ecea0a92714602bc2f603f9b5ac0975c98768b2d
                                                        • Instruction Fuzzy Hash: 4CE0BD38E04209CFCF10DFA9E54849CB7B9FB48301B008466E829AB210DA386911CF01
                                                        Function 0107D9FD Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1b3086f16264d80df870cc37e4dff648ea1225f30d9780bdeeb0b38340b82eb8
                                                        • Instruction ID: c36e4ac19d1d6853a93837d0da6b9f003b68dbd89066ed0fdbff9a34ee7db756
                                                        • Opcode Fuzzy Hash: 1b3086f16264d80df870cc37e4dff648ea1225f30d9780bdeeb0b38340b82eb8
                                                        • Instruction Fuzzy Hash: B7D0673AB00009AFCB159F98E8409DDF7B6FB98221B048156EA16A3260C631A961DB90
                                                        Function 0107BF48 Relevance: .0, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 042ec584bb17d71ad8973bde3a2f7ae377b1bf6434c9b674d977aaf0a238a585
                                                        • Instruction ID: 35b659814fc0670cc2908677069ff830e7f06a0c48b8627969ab9ab46751c013
                                                        • Opcode Fuzzy Hash: 042ec584bb17d71ad8973bde3a2f7ae377b1bf6434c9b674d977aaf0a238a585
                                                        • Instruction Fuzzy Hash: 01D0A7353502158FC314AB68E458C6977B9EF4873070140A5E5098B362CF71DC0087D0
                                                        Function 010751E0 Relevance: .0, Instructions: 10COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b8cc918a7b5af9705c1f4e14e7b0b9f1a0eaf4d17887dd7a995b37eccdd46ac0
                                                        • Instruction ID: 0d247f5d77aea6514f22461dbd41d0f80cdc1a7bbda61485921423267516d11e
                                                        • Opcode Fuzzy Hash: b8cc918a7b5af9705c1f4e14e7b0b9f1a0eaf4d17887dd7a995b37eccdd46ac0
                                                        • Instruction Fuzzy Hash: 30C04C7054E3C04FCB1797305576459BFB19D0711531944DEC8C2CB0B7DA2A541BEB11

                                                        Non-executed Functions

                                                        Function 0107E220 Relevance: .4, Instructions: 397COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c130e972d6f5b7ce48e51569b89918d39899bbaa08ddc3c31c00d6f895f2f689
                                                        • Instruction ID: 5e2ded4bb1c37f57c118f83fd762a4042c643d578c07b24a43227f6403628bd8
                                                        • Opcode Fuzzy Hash: c130e972d6f5b7ce48e51569b89918d39899bbaa08ddc3c31c00d6f895f2f689
                                                        • Instruction Fuzzy Hash: 9202F674E01218CFDB54DFA9C884BADBBB2BF48304F1580A9D859AB365DB31AD81CF54
                                                        Function 0107E7F0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 834637ad6021948ed9450a07ee53f9207bff1cf0381616215baec31e09adaab7
                                                        • Instruction ID: a27ca07ef5aeed64897f74982a608c39fd0273371c9f478f345cf34e9c94efbf
                                                        • Opcode Fuzzy Hash: 834637ad6021948ed9450a07ee53f9207bff1cf0381616215baec31e09adaab7
                                                        • Instruction Fuzzy Hash: E0C1C274E01218CFDB54DFA5D994BADBBB2BF88304F2080A9D809AB355DB355E81CF50
                                                        Function 0107EC48 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1f0ae22bd48ca19cabe7112b3d6331062ca0b3a1d3eb8ed6df3735bce158f77c
                                                        • Instruction ID: 26898422a8414fa21436f568f924b5c48f9f60820b9c38700ec0d34d29111fdd
                                                        • Opcode Fuzzy Hash: 1f0ae22bd48ca19cabe7112b3d6331062ca0b3a1d3eb8ed6df3735bce158f77c
                                                        • Instruction Fuzzy Hash: AAC1C274E00258CFDB54DFA5D994BADBBB2BF88304F2080A9D819AB355DB355E81CF50
                                                        Function 0107F0A0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: c35bc56dd30e28f29b260898bb8e83dddf4082a0bc41460cafcd7d936f50568a
                                                        • Instruction ID: 7296388249b83bea8945f3c15e56be86b345bc8935842f8d4e90adcc82c62795
                                                        • Opcode Fuzzy Hash: c35bc56dd30e28f29b260898bb8e83dddf4082a0bc41460cafcd7d936f50568a
                                                        • Instruction Fuzzy Hash: 46C1C174E00258CFDB54DFA5D994BADBBB2BF89304F2080A9D819AB354DB359E81CF50
                                                        Function 0107F4F8 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: d5a8d88d23759717f4f0b6b451219ad51564981fe9874b3f28d266b4f040b657
                                                        • Instruction ID: 242ec836d26ec97d10b841f1f25730294150c0b68d7883722e2832f5f9800558
                                                        • Opcode Fuzzy Hash: d5a8d88d23759717f4f0b6b451219ad51564981fe9874b3f28d266b4f040b657
                                                        • Instruction Fuzzy Hash: 0FC1C274E00258CFDB54DFA5D994BADBBB2BF88304F2080A9D819AB355DB355E81CF50
                                                        Function 0107F950 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2728639569.0000000001070000.00000040.00000800.00020000.00000000.sdmp, Offset: 01070000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_1070000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 418b9bb620444cf8d2793978978222bc952ea30badba6a523401c5183836d542
                                                        • Instruction ID: ea6da46144e0f907a12bc3c9d5695dadea1023d6f2b0e610bb0251f4ac1ed78f
                                                        • Opcode Fuzzy Hash: 418b9bb620444cf8d2793978978222bc952ea30badba6a523401c5183836d542
                                                        • Instruction Fuzzy Hash: 6BC1C274E00258CFDB54DFA5D994BADBBB2BF88304F2080A9D819AB354DB359E81CF50
                                                        Function 063C8E18 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: faf009f498177c54365056ea43fec1c42eaf814e72dd7d91fa4a68fcf564e54e
                                                        • Instruction ID: c525665c4b5a7c480d8485a73f2df0a958d0a48b621cb66e7fed7cb0461d5a8f
                                                        • Opcode Fuzzy Hash: faf009f498177c54365056ea43fec1c42eaf814e72dd7d91fa4a68fcf564e54e
                                                        • Instruction Fuzzy Hash: F0C1B274E00258CFDB54DFA5D994BADBBB2BF88304F1080A9D809AB355DB355E85CF50
                                                        Function 063CA768 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b604d9214dc9c2833cff0962c4b9c6e4782b607adc9a1c76a19973df2060f913
                                                        • Instruction ID: 5f6d6ca39a0efd02d7011dd879733cf09555538300b9a37fce1f1bcf905912c1
                                                        • Opcode Fuzzy Hash: b604d9214dc9c2833cff0962c4b9c6e4782b607adc9a1c76a19973df2060f913
                                                        • Instruction Fuzzy Hash: A2C1BF74E00258CFDB54DFA5D994BADBBB2BF88314F2080A9D809AB354DB359E85CF50
                                                        Function 063CABC0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: ad3fbc32939e7b982391c57ed0a58b2b6518409d27df4118d4fe7243279caead
                                                        • Instruction ID: 15405e0a34e15f8be7fee3a34fe3c00a73b03f32bb0317e84267b07cd8c6c666
                                                        • Opcode Fuzzy Hash: ad3fbc32939e7b982391c57ed0a58b2b6518409d27df4118d4fe7243279caead
                                                        • Instruction Fuzzy Hash: 8DC1B174E00258CFDB54DFA5D994BADBBB2BF88314F2080A9D809AB354DB359E85CF50
                                                        Function 063CB018 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 1864ef75188a5ee0b82ca1f060e2642138a7d345d8c801b587dfdcecfbd0f8de
                                                        • Instruction ID: 2354b3dcdb4b40254c4566086e9f1a0c9834d88b43d87cca0a20c991037f4531
                                                        • Opcode Fuzzy Hash: 1864ef75188a5ee0b82ca1f060e2642138a7d345d8c801b587dfdcecfbd0f8de
                                                        • Instruction Fuzzy Hash: 5CC1C274E00258CFDB54DFA5D994BADBBB2BF88304F2080A9D409AB354DB355E81CF50
                                                        Function 063C7CB8 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8c5939b2b29be50aa303f8908edf350af1c7e2a59edb2e02b68eae7b3e2ed92c
                                                        • Instruction ID: 5a49735930c93da3e004dd0da60149fc4f7269d1f305109380043d49867b8790
                                                        • Opcode Fuzzy Hash: 8c5939b2b29be50aa303f8908edf350af1c7e2a59edb2e02b68eae7b3e2ed92c
                                                        • Instruction Fuzzy Hash: 0DC1B074E00258CFDB54DFA5D994BADBBB2BF88314F2080A9D809AB354DB359E85CF50
                                                        Function 063CB8C8 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b592ddf31f50546be1b1c47e45beab8ad4d3ecdd25fed90cb66f2d1feee1ee4d
                                                        • Instruction ID: b06ee5008f05ac8df6a5808b02d2a46f35ab1ce538e1abea4d9f46bb0797e876
                                                        • Opcode Fuzzy Hash: b592ddf31f50546be1b1c47e45beab8ad4d3ecdd25fed90cb66f2d1feee1ee4d
                                                        • Instruction Fuzzy Hash: 02C1B074E00258CFDB54DFA5D994BADBBB2BF88314F2080A9D809AB354DB359E85CF50
                                                        Function 063CBD20 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 8e6dd1062f983c7600f0574813bcbfa6ce2351c1250217c9d206fbf8df3c60f7
                                                        • Instruction ID: 8923a39e57e1b898b848c8472dda56b98dcbda8f7ae778beb60206f613cb7430
                                                        • Opcode Fuzzy Hash: 8e6dd1062f983c7600f0574813bcbfa6ce2351c1250217c9d206fbf8df3c60f7
                                                        • Instruction Fuzzy Hash: 63C1C174E00258CFDB54DFA5D994BADBBB2BF88304F2090A9D809AB354DB359E81CF50
                                                        Function 063C8110 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 269fdb040a2e8812ca4a21f0a41bba21240c41fc4536a4901efa765558358b34
                                                        • Instruction ID: 71519c3175984ba62af8d9f8f6271e9629fc2952a651e232cad4a99fc71afb34
                                                        • Opcode Fuzzy Hash: 269fdb040a2e8812ca4a21f0a41bba21240c41fc4536a4901efa765558358b34
                                                        • Instruction Fuzzy Hash: 65C1B074E00258CFDB54DFA5D994BADBBB2BF88314F2080A9D809AB354DB359E85CF50
                                                        Function 063C8568 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 531e972495c60597d5886ec14c825118bcd183306f339f01ae4e8317b7fece89
                                                        • Instruction ID: c2d398f61b9a1d0c79b94f7893537e2d333e3fa40b7f2d0c62d11c4afede21e0
                                                        • Opcode Fuzzy Hash: 531e972495c60597d5886ec14c825118bcd183306f339f01ae4e8317b7fece89
                                                        • Instruction Fuzzy Hash: E0C1BF74E00258CFDB54DFA5D994BADBBB2BF88314F2080A9D809AB354DB359E85CF50
                                                        Function 063C89C0 Relevance: .3, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000002.00000002.2733146839.00000000063C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063C0000, based on PE: false
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_2_2_63c0000_HUSDGHCE23ED.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: acfea3f0f435852d930c74458449ade915fdbee29ff1138fbe05f63d76e7fbbb
                                                        • Instruction ID: 953e6773ae960f720eb1224c65478bc5162bbdefc81fd929313283425a988892
                                                        • Opcode Fuzzy Hash: acfea3f0f435852d930c74458449ade915fdbee29ff1138fbe05f63d76e7fbbb
                                                        • Instruction Fuzzy Hash: 76C1B074E00258CFDB54DFA5D994BADBBB2BF88304F2080A9D809AB354DB359E85CF50