Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
HUBED342024.exe

Overview

General Information

Sample name:HUBED342024.exe
Analysis ID:1580087
MD5:8e148751995240a3f18c5bd846783d2d
SHA1:576f54bd58d27c1e7d779c9900388c8dfc7c02be
SHA256:776e675ee48e029e417d5ed22ef53ccb5225660871d2152c4f4dc786eff91e62
Tags:exeuser-TeamDreier
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • HUBED342024.exe (PID: 7352 cmdline: "C:\Users\user\Desktop\HUBED342024.exe" MD5: 8E148751995240A3F18C5BD846783D2D)
    • powershell.exe (PID: 7552 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7776 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • HUBED342024.exe (PID: 7560 cmdline: "C:\Users\user\Desktop\HUBED342024.exe" MD5: 8E148751995240A3F18C5BD846783D2D)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7704742999:AAG0GCBtZYjgQBMY4ELoXFDZtEO_hdGA7UY", "Telegram Chatid": "7245529134"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xefdf:$a1: get_encryptedPassword
        • 0xf307:$a2: get_encryptedUsername
        • 0xed7a:$a3: get_timePasswordChanged
        • 0xee9b:$a4: get_passwordField
        • 0xeff5:$a5: set_encryptedPassword
        • 0x10951:$a7: get_logins
        • 0x10602:$a8: GetOutlookPasswords
        • 0x103f4:$a9: StartKeylogger
        • 0x108a1:$a10: KeyLoggerEventArgs
        • 0x10451:$a11: KeyLoggerEventArgsEventHandler
        00000005.00000002.3425599530.0000000002A54000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.HUBED342024.exe.3b91ae8.4.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            1.2.HUBED342024.exe.3b91ae8.4.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              1.2.HUBED342024.exe.3b91ae8.4.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                1.2.HUBED342024.exe.3b91ae8.4.raw.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xf1df:$a1: get_encryptedPassword
                • 0xf507:$a2: get_encryptedUsername
                • 0xef7a:$a3: get_timePasswordChanged
                • 0xf09b:$a4: get_passwordField
                • 0xf1f5:$a5: set_encryptedPassword
                • 0x10b51:$a7: get_logins
                • 0x10802:$a8: GetOutlookPasswords
                • 0x105f4:$a9: StartKeylogger
                • 0x10aa1:$a10: KeyLoggerEventArgs
                • 0x10651:$a11: KeyLoggerEventArgsEventHandler
                1.2.HUBED342024.exe.3b91ae8.4.raw.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1418b:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x13689:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x13997:$a4: \Orbitum\User Data\Default\Login Data
                • 0x1478f:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 19 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HUBED342024.exe", ParentImage: C:\Users\user\Desktop\HUBED342024.exe, ParentProcessId: 7352, ParentProcessName: HUBED342024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe", ProcessId: 7552, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HUBED342024.exe", ParentImage: C:\Users\user\Desktop\HUBED342024.exe, ParentProcessId: 7352, ParentProcessName: HUBED342024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe", ProcessId: 7552, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\HUBED342024.exe", ParentImage: C:\Users\user\Desktop\HUBED342024.exe, ParentProcessId: 7352, ParentProcessName: HUBED342024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe", ProcessId: 7552, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-23T21:50:16.133490+010028032742Potentially Bad Traffic192.168.2.649718193.122.6.16880TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7704742999:AAG0GCBtZYjgQBMY4ELoXFDZtEO_hdGA7UY", "Telegram Chatid": "7245529134"}
                Multi AV Scanner detection for submitted file
                Source: HUBED342024.exeReversingLabs: Detection: 73%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: HUBED342024.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: HUBED342024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49723 version: TLS 1.0
                Source: HUBED342024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 4x nop then jmp 00E09731h5_2_00E09480
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 4x nop then jmp 00E09E5Ah5_2_00E09A40
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 4x nop then jmp 00E09E5Ah5_2_00E09A30
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 4x nop then jmp 00E09E5Ah5_2_00E09D87
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                Source: Joe Sandbox ViewIP Address: 172.67.177.134 172.67.177.134
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49718 -> 193.122.6.168:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.6:49723 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.000000000296C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: HUBED342024.exe, 00000005.00000002.3425599530.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: HUBED342024.exe, 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000299C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000299C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: HUBED342024.exe, 00000001.00000002.2180525420.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.0000000002901000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: HUBED342024.exe, 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: HUBED342024.exe, 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to log keystrokes (.Net Source)
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 5.2.HUBED342024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.HUBED342024.exe.3c2ea70.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.HUBED342024.exe.3b91ae8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.HUBED342024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 1.2.HUBED342024.exe.3c2ea70.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 1.2.HUBED342024.exe.3b91ae8.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: HUBED342024.exe PID: 7352, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: HUBED342024.exe PID: 7560, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_051544581_2_05154458
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_051544481_2_05154448
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_051524E41_2_051524E4
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_07031DE81_2_07031DE8
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_0703CDF01_2_0703CDF0
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_070349481_2_07034948
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_072937501_2_07293750
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_072975201_2_07297520
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_072975301_2_07297530
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_072970F81_2_072970F8
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_0729DE401_2_0729DE40
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_07298C381_2_07298C38
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_07296CC01_2_07296CC0
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_072968881_2_07296888
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 5_2_00E0C5305_2_00E0C530
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 5_2_00E02DD15_2_00E02DD1
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 5_2_00E094805_2_00E09480
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 5_2_00E0C5215_2_00E0C521
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 5_2_00E0946F5_2_00E0946F
                Source: HUBED342024.exe, 00000001.00000002.2180525420.0000000002B7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs HUBED342024.exe
                Source: HUBED342024.exe, 00000001.00000002.2184781499.0000000005700000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs HUBED342024.exe
                Source: HUBED342024.exe, 00000001.00000002.2185964899.00000000077B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs HUBED342024.exe
                Source: HUBED342024.exe, 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs HUBED342024.exe
                Source: HUBED342024.exe, 00000001.00000000.2163683988.00000000008B0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEDhb.exe" vs HUBED342024.exe
                Source: HUBED342024.exe, 00000001.00000002.2180525420.0000000002B71000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs HUBED342024.exe
                Source: HUBED342024.exe, 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs HUBED342024.exe
                Source: HUBED342024.exe, 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs HUBED342024.exe
                Source: HUBED342024.exe, 00000001.00000002.2179563186.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs HUBED342024.exe
                Source: HUBED342024.exe, 00000005.00000002.3423576970.0000000000957000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs HUBED342024.exe
                Source: HUBED342024.exe, 00000005.00000002.3423260696.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs HUBED342024.exe
                Source: HUBED342024.exeBinary or memory string: OriginalFilenameEDhb.exe" vs HUBED342024.exe
                Source: HUBED342024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.HUBED342024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.HUBED342024.exe.3c2ea70.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.HUBED342024.exe.3b91ae8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.HUBED342024.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.HUBED342024.exe.3c2ea70.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.HUBED342024.exe.3b91ae8.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: HUBED342024.exe PID: 7352, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: HUBED342024.exe PID: 7560, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: HUBED342024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, vGEZyueWSOhGtBk4qt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, vGEZyueWSOhGtBk4qt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, BKfcZoJdDv53wrRPdB.csSecurity API names: _0020.SetAccessControl
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, BKfcZoJdDv53wrRPdB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, BKfcZoJdDv53wrRPdB.csSecurity API names: _0020.AddAccessRule
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, BKfcZoJdDv53wrRPdB.csSecurity API names: _0020.SetAccessControl
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, BKfcZoJdDv53wrRPdB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, BKfcZoJdDv53wrRPdB.csSecurity API names: _0020.AddAccessRule
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, vGEZyueWSOhGtBk4qt.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, BKfcZoJdDv53wrRPdB.csSecurity API names: _0020.SetAccessControl
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, BKfcZoJdDv53wrRPdB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, BKfcZoJdDv53wrRPdB.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@2/2
                Source: C:\Users\user\Desktop\HUBED342024.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HUBED342024.exe.logJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z3iwkv4x.r2w.ps1Jump to behavior
                Source: HUBED342024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: HUBED342024.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\HUBED342024.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: HUBED342024.exe, 00000005.00000002.3425599530.00000000029EE000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.0000000002A1D000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3427263189.000000000392D000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.0000000002A10000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.00000000029FC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: HUBED342024.exeReversingLabs: Detection: 73%
                Source: unknownProcess created: C:\Users\user\Desktop\HUBED342024.exe "C:\Users\user\Desktop\HUBED342024.exe"
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe"
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess created: C:\Users\user\Desktop\HUBED342024.exe "C:\Users\user\Desktop\HUBED342024.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe"Jump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess created: C:\Users\user\Desktop\HUBED342024.exe "C:\Users\user\Desktop\HUBED342024.exe"Jump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\HUBED342024.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: HUBED342024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: HUBED342024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, BKfcZoJdDv53wrRPdB.cs.Net Code: vtMWQOhDBp System.Reflection.Assembly.Load(byte[])
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, BKfcZoJdDv53wrRPdB.cs.Net Code: vtMWQOhDBp System.Reflection.Assembly.Load(byte[])
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, BKfcZoJdDv53wrRPdB.cs.Net Code: vtMWQOhDBp System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_05151668 push 1C050BCFh; iretd 1_2_0515166D
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_05150CC8 pushfd ; retf 1_2_05150CD1
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 1_2_07295C72 pushfd ; ret 1_2_07295C81
                Source: C:\Users\user\Desktop\HUBED342024.exeCode function: 5_2_00E0B3A8 push eax; iretd 5_2_00E0B445
                Source: HUBED342024.exeStatic PE information: section name: .text entropy: 7.3371981191853
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, ntaqAjggZ3soHhG3ngL.csHigh entropy of concatenated method names: 'ikkUi9kMwl', 'dQuUz3WfGk', 'VVVTfk29ul', 'TqCTgAwClt', 'bbITst5N78', 'vYrTXMCjed', 'lZ8TWNPGst', 'E8pTClyggH', 'outTtsQhpq', 'I92TcuE7CC'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, r3PZeRYkfcj0D0oe9W.csHigh entropy of concatenated method names: 'W8SnkFVHJo', 'fXFnVdqZXN', 'DCLnYhi7ZN', 'aKWnIXdtOV', 'FHJnbjgvfC', 'dIvn13o0bM', 'ldmnZSL5io', 'yssnqptkHo', 'd9Ln4TIuDn', 'Q2GnKNy27R'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, Qip3YMgWuX7c2TIXiTT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zTwHDmrCKg', 'TWrHUSwtKi', 'lagHTyva1b', 'kLAHHE83he', 'ClhHP4xeI0', 'QbBHpwu4m6', 'NKmHNrFpkx'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, u70kBqWEe0Gq5IFHi8.csHigh entropy of concatenated method names: 'QiPgRGEZyu', 'dSOgJhGtBk', 'hkrg9PvTgH', 'fipgFv4NRa', 'J5HgnfA5L3', 'E78gjHlMRu', 'vQCIPxxiv5kJk0Tw6k', 'zompKGJOe8sH6kAqL0', 'LSyggBkMFF', 'Tr3gXIsews'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, RXDF57zVDhYSt7uLZL.csHigh entropy of concatenated method names: 'eZWUMS9aiE', 'W7xUetspYe', 'optU8IObZK', 'dq0U3rkXC4', 'eBaUb1GIBg', 'RdjUZXYKpL', 'B3qUqMAN8k', 'wh9UNbutsC', 'sjGUaQwyU8', 'pI6U2mWfSO'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, sjXoshBoHC8PXIJvtT.csHigh entropy of concatenated method names: 'S9AmeT4QYA', 'thcm8FylVJ', 'KwOm3R7Eyi', 'iNGmbibCQW', 'NjDmZl0oYj', 'ukxmqJWWwR', 'M4xmK4O2MY', 'RbtmhG6SP6', 'Behmk78EM1', 'OnymGypPlq'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, zfe1sdbrR2S03mAHDS.csHigh entropy of concatenated method names: 'Mu9RN2MsnMLxftf7hxj', 'FhwSLuMCAWoyrjo5cxj', 'pily5VyfZX', 'LaZyDA8C5Y', 'd35yUkIvn0', 'gB8pEJMXrkV6RYu7iMW', 'bIIr3bMvV8O1KK6u4i0', 'mQpFCwMQj6cuj2p5TRG'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, wjOyZASY3yGLp2qtFy.csHigh entropy of concatenated method names: 'NtZ762f4Yq', 'GLb7i7dZMo', 'DCS5fe16T5', 'eZj5guH8cO', 'Nqj7GxgVXk', 'MIM7VMVSx5', 'Gc07BSliKk', 'nAc7YaP6PA', 'AqK7IZFurA', 'Q6d7x721qO'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, SrFKEasbuAJ5pUuDKk.csHigh entropy of concatenated method names: 'RY3Qw4V8n', 'LJ8vGPSHF', 'EUvMvcdkK', 'irouDcsXv', 'Sml81P11m', 'hjKOAdkeN', 'yayX0KO1VneleoyVg5', 'S54KBbAx5455PGPGOW', 'jGF5a4swX', 'VZvU4fL18'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, memblcxctooqU42Wlx.csHigh entropy of concatenated method names: 'ToString', 'A5HjG4MRDr', 'FtZjbyAJVr', 'hMaj1HcokF', 'eBDjZEuA2E', 'Q3PjqVjo8g', 'qsVj4eDseO', 'Hs8jKvC9e2', 'QCsjh3ubDi', 'HBRjoBRoTg'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, VLHouGcExBE4ubhDhj.csHigh entropy of concatenated method names: 'Dispose', 'NONgdj3B31', 'm0JsbL3qsZ', 'IuveBToG9e', 'OXwgilhlu6', 'jN9gz5GWfB', 'ProcessDialogKey', 'yM6sfbvNju', 'zJUsg2sGTL', 'xUcssLfANd'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, rL3e783HlMRuXmYr9c.csHigh entropy of concatenated method names: 'XdyyCdH2xN', 'ATsycLuy6j', 'sS2ywugLUg', 'SNryRxiYkQ', 'iliyJbQscc', 'vLiwAP7KIQ', 'mHJwSym4Uy', 'vvfw0bwLfg', 'GiYw6UXBaa', 'XBVwdsyLt3'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, STxdj8oZCEeIpOIg9N.csHigh entropy of concatenated method names: 'CAKRaL7e5a', 'a4BR2NduZV', 'gubRQnvot9', 'KABRvmWbud', 'ou1RlyVcom', 'lurRM6W3n8', 'R6hRuaYEld', 'y86RegthsC', 'IJ6R8QR2L8', 'k2sROyfcZ6'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, OgOEMw8krPvTgHtipv.csHigh entropy of concatenated method names: 'DeTrvlU3TN', 'Y25rMrCFFT', 'O6xreYuodu', 'H1Pr8nI8yP', 'iW2rnaMNjn', 'XsFrj9HpA5', 'aXcr74hkAM', 'Ya8r5IAOyM', 'fYcrDx4970', 'LSkrUkMwyn'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, bdOuco0jQkONj3B31G.csHigh entropy of concatenated method names: 'D9xDns5fu7', 'jsHD7nqgG3', 'fflDDVmKTb', 'SLMDT6CmDU', 'dwFDPobBXC', 'nIEDNlMEWv', 'Dispose', 'ruZ5tPStcH', 'cDU5cPtrlG', 'Vrt5rOs8Gl'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, XbvNjudQJU2sGTLaUc.csHigh entropy of concatenated method names: 'qiCD3hVoxw', 'EKgDbR2Ojr', 'ScRD1KiNKs', 'GvxDZ03cR3', 'NtwDqWXBvC', 'QaPD4kO6SG', 'rHiDKfGg60', 'OWvDhGLPaT', 'sbpDoekgJy', 'iroDk9ds1m'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, SYsihOK0CESMR7nfpc.csHigh entropy of concatenated method names: 'SFVRtfqSIp', 'gfSRrHpRUd', 'du5Rye3UAM', 'f5qyiuBhpC', 'u5Wyz01Xxc', 'P5xRfpXN4y', 'PNTRgLhrfp', 'DtURsbYYkA', 'IMsRXsMEuA', 'ziVRWFxiDl'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, vGEZyueWSOhGtBk4qt.csHigh entropy of concatenated method names: 'oB9cYku0gl', 'DU6cIFrlZX', 'VE5cxKvGgn', 'KArcLosE9x', 'knmcAM43SY', 'KJGcSoBQXo', 'NHAc0c5uO6', 'uwGc6TAIZs', 'kXkcd2EhEO', 'uDCciAjEih'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, HNV5HZgfLkmaWU3kWHS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y7QUG8wMrN', 'JaKUVqJ5La', 'pybUBbjbRT', 'A3WUY0gf4U', 'iihUIOHROy', 'zK0UxVJbbV', 'tsYULZTJuY'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, BKfcZoJdDv53wrRPdB.csHigh entropy of concatenated method names: 'vtSXC51igh', 'GsIXt7okav', 'REZXcOl4yL', 'C76XrhV0GF', 'J5UXwKfH4D', 'RWhXyGMK4t', 'zJtXRoGX7S', 'KrkXJUhcRM', 'J2yXEBA3U1', 'L7QX9jYTxY'
                Source: 1.2.HUBED342024.exe.3da2e28.2.raw.unpack, TfANd1iQAAEMLdV3ev.csHigh entropy of concatenated method names: 'HaNUrskMOG', 'SCRUwCbIgc', 'ocVUy8pxyi', 'wrEURdsRjE', 'etmUDdDm1m', 'CViUJCaZ0U', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, ntaqAjggZ3soHhG3ngL.csHigh entropy of concatenated method names: 'ikkUi9kMwl', 'dQuUz3WfGk', 'VVVTfk29ul', 'TqCTgAwClt', 'bbITst5N78', 'vYrTXMCjed', 'lZ8TWNPGst', 'E8pTClyggH', 'outTtsQhpq', 'I92TcuE7CC'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, r3PZeRYkfcj0D0oe9W.csHigh entropy of concatenated method names: 'W8SnkFVHJo', 'fXFnVdqZXN', 'DCLnYhi7ZN', 'aKWnIXdtOV', 'FHJnbjgvfC', 'dIvn13o0bM', 'ldmnZSL5io', 'yssnqptkHo', 'd9Ln4TIuDn', 'Q2GnKNy27R'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, Qip3YMgWuX7c2TIXiTT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zTwHDmrCKg', 'TWrHUSwtKi', 'lagHTyva1b', 'kLAHHE83he', 'ClhHP4xeI0', 'QbBHpwu4m6', 'NKmHNrFpkx'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, u70kBqWEe0Gq5IFHi8.csHigh entropy of concatenated method names: 'QiPgRGEZyu', 'dSOgJhGtBk', 'hkrg9PvTgH', 'fipgFv4NRa', 'J5HgnfA5L3', 'E78gjHlMRu', 'vQCIPxxiv5kJk0Tw6k', 'zompKGJOe8sH6kAqL0', 'LSyggBkMFF', 'Tr3gXIsews'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, RXDF57zVDhYSt7uLZL.csHigh entropy of concatenated method names: 'eZWUMS9aiE', 'W7xUetspYe', 'optU8IObZK', 'dq0U3rkXC4', 'eBaUb1GIBg', 'RdjUZXYKpL', 'B3qUqMAN8k', 'wh9UNbutsC', 'sjGUaQwyU8', 'pI6U2mWfSO'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, sjXoshBoHC8PXIJvtT.csHigh entropy of concatenated method names: 'S9AmeT4QYA', 'thcm8FylVJ', 'KwOm3R7Eyi', 'iNGmbibCQW', 'NjDmZl0oYj', 'ukxmqJWWwR', 'M4xmK4O2MY', 'RbtmhG6SP6', 'Behmk78EM1', 'OnymGypPlq'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, zfe1sdbrR2S03mAHDS.csHigh entropy of concatenated method names: 'Mu9RN2MsnMLxftf7hxj', 'FhwSLuMCAWoyrjo5cxj', 'pily5VyfZX', 'LaZyDA8C5Y', 'd35yUkIvn0', 'gB8pEJMXrkV6RYu7iMW', 'bIIr3bMvV8O1KK6u4i0', 'mQpFCwMQj6cuj2p5TRG'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, wjOyZASY3yGLp2qtFy.csHigh entropy of concatenated method names: 'NtZ762f4Yq', 'GLb7i7dZMo', 'DCS5fe16T5', 'eZj5guH8cO', 'Nqj7GxgVXk', 'MIM7VMVSx5', 'Gc07BSliKk', 'nAc7YaP6PA', 'AqK7IZFurA', 'Q6d7x721qO'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, SrFKEasbuAJ5pUuDKk.csHigh entropy of concatenated method names: 'RY3Qw4V8n', 'LJ8vGPSHF', 'EUvMvcdkK', 'irouDcsXv', 'Sml81P11m', 'hjKOAdkeN', 'yayX0KO1VneleoyVg5', 'S54KBbAx5455PGPGOW', 'jGF5a4swX', 'VZvU4fL18'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, memblcxctooqU42Wlx.csHigh entropy of concatenated method names: 'ToString', 'A5HjG4MRDr', 'FtZjbyAJVr', 'hMaj1HcokF', 'eBDjZEuA2E', 'Q3PjqVjo8g', 'qsVj4eDseO', 'Hs8jKvC9e2', 'QCsjh3ubDi', 'HBRjoBRoTg'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, VLHouGcExBE4ubhDhj.csHigh entropy of concatenated method names: 'Dispose', 'NONgdj3B31', 'm0JsbL3qsZ', 'IuveBToG9e', 'OXwgilhlu6', 'jN9gz5GWfB', 'ProcessDialogKey', 'yM6sfbvNju', 'zJUsg2sGTL', 'xUcssLfANd'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, rL3e783HlMRuXmYr9c.csHigh entropy of concatenated method names: 'XdyyCdH2xN', 'ATsycLuy6j', 'sS2ywugLUg', 'SNryRxiYkQ', 'iliyJbQscc', 'vLiwAP7KIQ', 'mHJwSym4Uy', 'vvfw0bwLfg', 'GiYw6UXBaa', 'XBVwdsyLt3'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, STxdj8oZCEeIpOIg9N.csHigh entropy of concatenated method names: 'CAKRaL7e5a', 'a4BR2NduZV', 'gubRQnvot9', 'KABRvmWbud', 'ou1RlyVcom', 'lurRM6W3n8', 'R6hRuaYEld', 'y86RegthsC', 'IJ6R8QR2L8', 'k2sROyfcZ6'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, OgOEMw8krPvTgHtipv.csHigh entropy of concatenated method names: 'DeTrvlU3TN', 'Y25rMrCFFT', 'O6xreYuodu', 'H1Pr8nI8yP', 'iW2rnaMNjn', 'XsFrj9HpA5', 'aXcr74hkAM', 'Ya8r5IAOyM', 'fYcrDx4970', 'LSkrUkMwyn'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, bdOuco0jQkONj3B31G.csHigh entropy of concatenated method names: 'D9xDns5fu7', 'jsHD7nqgG3', 'fflDDVmKTb', 'SLMDT6CmDU', 'dwFDPobBXC', 'nIEDNlMEWv', 'Dispose', 'ruZ5tPStcH', 'cDU5cPtrlG', 'Vrt5rOs8Gl'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, XbvNjudQJU2sGTLaUc.csHigh entropy of concatenated method names: 'qiCD3hVoxw', 'EKgDbR2Ojr', 'ScRD1KiNKs', 'GvxDZ03cR3', 'NtwDqWXBvC', 'QaPD4kO6SG', 'rHiDKfGg60', 'OWvDhGLPaT', 'sbpDoekgJy', 'iroDk9ds1m'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, SYsihOK0CESMR7nfpc.csHigh entropy of concatenated method names: 'SFVRtfqSIp', 'gfSRrHpRUd', 'du5Rye3UAM', 'f5qyiuBhpC', 'u5Wyz01Xxc', 'P5xRfpXN4y', 'PNTRgLhrfp', 'DtURsbYYkA', 'IMsRXsMEuA', 'ziVRWFxiDl'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, vGEZyueWSOhGtBk4qt.csHigh entropy of concatenated method names: 'oB9cYku0gl', 'DU6cIFrlZX', 'VE5cxKvGgn', 'KArcLosE9x', 'knmcAM43SY', 'KJGcSoBQXo', 'NHAc0c5uO6', 'uwGc6TAIZs', 'kXkcd2EhEO', 'uDCciAjEih'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, HNV5HZgfLkmaWU3kWHS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y7QUG8wMrN', 'JaKUVqJ5La', 'pybUBbjbRT', 'A3WUY0gf4U', 'iihUIOHROy', 'zK0UxVJbbV', 'tsYULZTJuY'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, BKfcZoJdDv53wrRPdB.csHigh entropy of concatenated method names: 'vtSXC51igh', 'GsIXt7okav', 'REZXcOl4yL', 'C76XrhV0GF', 'J5UXwKfH4D', 'RWhXyGMK4t', 'zJtXRoGX7S', 'KrkXJUhcRM', 'J2yXEBA3U1', 'L7QX9jYTxY'
                Source: 1.2.HUBED342024.exe.77b0000.6.raw.unpack, TfANd1iQAAEMLdV3ev.csHigh entropy of concatenated method names: 'HaNUrskMOG', 'SCRUwCbIgc', 'ocVUy8pxyi', 'wrEURdsRjE', 'etmUDdDm1m', 'CViUJCaZ0U', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, ntaqAjggZ3soHhG3ngL.csHigh entropy of concatenated method names: 'ikkUi9kMwl', 'dQuUz3WfGk', 'VVVTfk29ul', 'TqCTgAwClt', 'bbITst5N78', 'vYrTXMCjed', 'lZ8TWNPGst', 'E8pTClyggH', 'outTtsQhpq', 'I92TcuE7CC'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, r3PZeRYkfcj0D0oe9W.csHigh entropy of concatenated method names: 'W8SnkFVHJo', 'fXFnVdqZXN', 'DCLnYhi7ZN', 'aKWnIXdtOV', 'FHJnbjgvfC', 'dIvn13o0bM', 'ldmnZSL5io', 'yssnqptkHo', 'd9Ln4TIuDn', 'Q2GnKNy27R'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, Qip3YMgWuX7c2TIXiTT.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zTwHDmrCKg', 'TWrHUSwtKi', 'lagHTyva1b', 'kLAHHE83he', 'ClhHP4xeI0', 'QbBHpwu4m6', 'NKmHNrFpkx'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, u70kBqWEe0Gq5IFHi8.csHigh entropy of concatenated method names: 'QiPgRGEZyu', 'dSOgJhGtBk', 'hkrg9PvTgH', 'fipgFv4NRa', 'J5HgnfA5L3', 'E78gjHlMRu', 'vQCIPxxiv5kJk0Tw6k', 'zompKGJOe8sH6kAqL0', 'LSyggBkMFF', 'Tr3gXIsews'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, RXDF57zVDhYSt7uLZL.csHigh entropy of concatenated method names: 'eZWUMS9aiE', 'W7xUetspYe', 'optU8IObZK', 'dq0U3rkXC4', 'eBaUb1GIBg', 'RdjUZXYKpL', 'B3qUqMAN8k', 'wh9UNbutsC', 'sjGUaQwyU8', 'pI6U2mWfSO'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, sjXoshBoHC8PXIJvtT.csHigh entropy of concatenated method names: 'S9AmeT4QYA', 'thcm8FylVJ', 'KwOm3R7Eyi', 'iNGmbibCQW', 'NjDmZl0oYj', 'ukxmqJWWwR', 'M4xmK4O2MY', 'RbtmhG6SP6', 'Behmk78EM1', 'OnymGypPlq'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, zfe1sdbrR2S03mAHDS.csHigh entropy of concatenated method names: 'Mu9RN2MsnMLxftf7hxj', 'FhwSLuMCAWoyrjo5cxj', 'pily5VyfZX', 'LaZyDA8C5Y', 'd35yUkIvn0', 'gB8pEJMXrkV6RYu7iMW', 'bIIr3bMvV8O1KK6u4i0', 'mQpFCwMQj6cuj2p5TRG'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, wjOyZASY3yGLp2qtFy.csHigh entropy of concatenated method names: 'NtZ762f4Yq', 'GLb7i7dZMo', 'DCS5fe16T5', 'eZj5guH8cO', 'Nqj7GxgVXk', 'MIM7VMVSx5', 'Gc07BSliKk', 'nAc7YaP6PA', 'AqK7IZFurA', 'Q6d7x721qO'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, SrFKEasbuAJ5pUuDKk.csHigh entropy of concatenated method names: 'RY3Qw4V8n', 'LJ8vGPSHF', 'EUvMvcdkK', 'irouDcsXv', 'Sml81P11m', 'hjKOAdkeN', 'yayX0KO1VneleoyVg5', 'S54KBbAx5455PGPGOW', 'jGF5a4swX', 'VZvU4fL18'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, memblcxctooqU42Wlx.csHigh entropy of concatenated method names: 'ToString', 'A5HjG4MRDr', 'FtZjbyAJVr', 'hMaj1HcokF', 'eBDjZEuA2E', 'Q3PjqVjo8g', 'qsVj4eDseO', 'Hs8jKvC9e2', 'QCsjh3ubDi', 'HBRjoBRoTg'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, VLHouGcExBE4ubhDhj.csHigh entropy of concatenated method names: 'Dispose', 'NONgdj3B31', 'm0JsbL3qsZ', 'IuveBToG9e', 'OXwgilhlu6', 'jN9gz5GWfB', 'ProcessDialogKey', 'yM6sfbvNju', 'zJUsg2sGTL', 'xUcssLfANd'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, rL3e783HlMRuXmYr9c.csHigh entropy of concatenated method names: 'XdyyCdH2xN', 'ATsycLuy6j', 'sS2ywugLUg', 'SNryRxiYkQ', 'iliyJbQscc', 'vLiwAP7KIQ', 'mHJwSym4Uy', 'vvfw0bwLfg', 'GiYw6UXBaa', 'XBVwdsyLt3'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, STxdj8oZCEeIpOIg9N.csHigh entropy of concatenated method names: 'CAKRaL7e5a', 'a4BR2NduZV', 'gubRQnvot9', 'KABRvmWbud', 'ou1RlyVcom', 'lurRM6W3n8', 'R6hRuaYEld', 'y86RegthsC', 'IJ6R8QR2L8', 'k2sROyfcZ6'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, OgOEMw8krPvTgHtipv.csHigh entropy of concatenated method names: 'DeTrvlU3TN', 'Y25rMrCFFT', 'O6xreYuodu', 'H1Pr8nI8yP', 'iW2rnaMNjn', 'XsFrj9HpA5', 'aXcr74hkAM', 'Ya8r5IAOyM', 'fYcrDx4970', 'LSkrUkMwyn'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, bdOuco0jQkONj3B31G.csHigh entropy of concatenated method names: 'D9xDns5fu7', 'jsHD7nqgG3', 'fflDDVmKTb', 'SLMDT6CmDU', 'dwFDPobBXC', 'nIEDNlMEWv', 'Dispose', 'ruZ5tPStcH', 'cDU5cPtrlG', 'Vrt5rOs8Gl'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, XbvNjudQJU2sGTLaUc.csHigh entropy of concatenated method names: 'qiCD3hVoxw', 'EKgDbR2Ojr', 'ScRD1KiNKs', 'GvxDZ03cR3', 'NtwDqWXBvC', 'QaPD4kO6SG', 'rHiDKfGg60', 'OWvDhGLPaT', 'sbpDoekgJy', 'iroDk9ds1m'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, SYsihOK0CESMR7nfpc.csHigh entropy of concatenated method names: 'SFVRtfqSIp', 'gfSRrHpRUd', 'du5Rye3UAM', 'f5qyiuBhpC', 'u5Wyz01Xxc', 'P5xRfpXN4y', 'PNTRgLhrfp', 'DtURsbYYkA', 'IMsRXsMEuA', 'ziVRWFxiDl'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, vGEZyueWSOhGtBk4qt.csHigh entropy of concatenated method names: 'oB9cYku0gl', 'DU6cIFrlZX', 'VE5cxKvGgn', 'KArcLosE9x', 'knmcAM43SY', 'KJGcSoBQXo', 'NHAc0c5uO6', 'uwGc6TAIZs', 'kXkcd2EhEO', 'uDCciAjEih'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, HNV5HZgfLkmaWU3kWHS.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Y7QUG8wMrN', 'JaKUVqJ5La', 'pybUBbjbRT', 'A3WUY0gf4U', 'iihUIOHROy', 'zK0UxVJbbV', 'tsYULZTJuY'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, BKfcZoJdDv53wrRPdB.csHigh entropy of concatenated method names: 'vtSXC51igh', 'GsIXt7okav', 'REZXcOl4yL', 'C76XrhV0GF', 'J5UXwKfH4D', 'RWhXyGMK4t', 'zJtXRoGX7S', 'KrkXJUhcRM', 'J2yXEBA3U1', 'L7QX9jYTxY'
                Source: 1.2.HUBED342024.exe.3d47e08.3.raw.unpack, TfANd1iQAAEMLdV3ev.csHigh entropy of concatenated method names: 'HaNUrskMOG', 'SCRUwCbIgc', 'ocVUy8pxyi', 'wrEURdsRjE', 'etmUDdDm1m', 'CViUJCaZ0U', 'Next', 'Next', 'Next', 'NextBytes'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7352, type: MEMORYSTR
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: F00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: 2B70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: 4B70000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: 8F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: 7950000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: 9F10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: AF10000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: E00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: 2720000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5714Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3975Jump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exe TID: 7404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: HUBED342024.exe, 00000001.00000002.2179563186.0000000000FE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: HUBED342024.exe, 00000001.00000002.2185964899.00000000077B0000.00000004.08000000.00040000.00000000.sdmp, HUBED342024.exe, 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ywHgfSFMaQ
                Source: HUBED342024.exe, 00000005.00000002.3423618165.00000000009C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe"
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\HUBED342024.exeMemory written: C:\Users\user\Desktop\HUBED342024.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe"Jump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeProcess created: C:\Users\user\Desktop\HUBED342024.exe "C:\Users\user\Desktop\HUBED342024.exe"Jump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Users\user\Desktop\HUBED342024.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Users\user\Desktop\HUBED342024.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.HUBED342024.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7560, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.HUBED342024.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7560, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\HUBED342024.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\HUBED342024.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\HUBED342024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.HUBED342024.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3425599530.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7560, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.HUBED342024.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7560, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.HUBED342024.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3b91ae8.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.HUBED342024.exe.3c2ea70.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: HUBED342024.exe PID: 7560, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Security Software Discovery                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                Input Capture                		1
                Process Discovery                		Remote Desktop Protocol1
                Input Capture                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin Shares11
                Archive Collected Data                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS1
                Application Window Discovery                		Distributed Component Object Model1
                Data from Local System                		13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                HUBED342024.exe74%ReversingLabsByteCode-MSIL.Infostealer.Pony
                HUBED342024.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		172.67.177.134
                		truefalse
                  		high
                  ax-0001.ax-msedge.net
                  		150.171.27.10
                  		truefalse
                    		high
                    checkip.dyndns.com
                    		193.122.6.168
                    		truefalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189lHUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.comdHUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.org/qHUBED342024.exe, 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgdHUBED342024.exe, 00000005.00000002.3425599530.000000000299C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://reallyfreegeoip.org/xml/8.46.123.189dHUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://reallyfreegeoip.orgHUBED342024.exe, 00000005.00000002.3425599530.000000000299C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.orgdHUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://reallyfreegeoip.orgHUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.orgHUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.000000000296C000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://checkip.dyndns.comHUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.org/dHUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHUBED342024.exe, 00000001.00000002.2180525420.0000000002B71000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.0000000002901000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.telegram.org/bot-/sendDocument?chat_id=HUBED342024.exe, 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://reallyfreegeoip.org/xml/HUBED342024.exe, 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3425599530.000000000297E000.00000004.00000800.00020000.00000000.sdmp, HUBED342024.exe, 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                        		high

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        193.122.6.168
                                                        		checkip.dyndns.comUnited States
                                                        		31898ORACLE-BMC-31898USfalse
                                                        172.67.177.134
                                                        		reallyfreegeoip.orgUnited States
                                                        		13335CLOUDFLARENETUSfalse

                                                        General Information

                                                        Joe Sandbox version:41.0.0 Charoite
                                                        Analysis ID:1580087
                                                        Start date and time:2024-12-23 21:49:10 +01:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 6m 13s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:22
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Sample name:HUBED342024.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.spyw.evad.winEXE@7/6@2/2
                                                        EGA Information:
                                                        • Successful, ratio: 50%
                                                        HCA Information:
                                                        • Successful, ratio: 99%
                                                        • Number of executed functions: 77
                                                        • Number of non-executed functions: 13
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                        • Excluded IPs from analysis (whitelisted): 40.126.53.6, 20.223.35.26, 2.16.158.35, 184.28.90.27, 13.107.246.63, 4.245.163.56, 20.31.169.57, 2.16.158.81, 150.171.27.10
                                                        • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, arc.msn.com, fe3cr.delivery.mp.microsoft.com
                                                        • Execution Graph export aborted for target HUBED342024.exe, PID 7560 because it is empty
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                        • VT rate limit hit for: HUBED342024.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        15:50:08API Interceptor1x Sleep call for process: HUBED342024.exe modified
                                                        15:50:10API Interceptor12x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        193.122.6.168YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        PAYMENT SWIFT AND SOA TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        MV GOLDEN SCHULTE DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        SWIFT091816-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        Shipment 990847575203.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • checkip.dyndns.org/
                                                        Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousMassLogger RATBrowse
                                                        • checkip.dyndns.org/
                                                        172.67.177.134Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                          rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                            Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                              YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  HUSDGHCE23ED.exeGet hashmaliciousMassLogger RATBrowse
                                                                    66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                      RFQ December-January Forcast and TCL.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        Invoice.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          PK241200518-EMAIL RELEASE-pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            ax-0001.ax-msedge.netOnboard Training Checklist v1.1 - Wyatt Young (1).xlsxGet hashmaliciousUnknownBrowse
                                                                            • 150.171.28.10
                                                                            https://jkqbjwq.maxiite.comGet hashmaliciousHTMLPhisherBrowse
                                                                            • 150.171.27.10
                                                                            OZq1f2sZz3.exeGet hashmaliciousAsyncRATBrowse
                                                                            • 150.171.27.10
                                                                            Olz7TmvkEW.exeGet hashmaliciousUltraVNCBrowse
                                                                            • 150.171.27.10
                                                                            Archivo-PxFkiLTWYG-23122024095010.htaGet hashmaliciousUnknownBrowse
                                                                            • 150.171.28.10
                                                                            BVGvbpplT8.exeGet hashmaliciousLummaC, StealcBrowse
                                                                            • 150.171.28.10
                                                                            613vKYuY2S.exeGet hashmaliciousLummaCBrowse
                                                                            • 150.171.28.10
                                                                            r4xiHKy8aM.exeGet hashmaliciousSocks5SystemzBrowse
                                                                            • 150.171.28.10
                                                                            vRWw6y4Pj2.exeGet hashmaliciousUnknownBrowse
                                                                            • 150.171.27.10
                                                                            2E814B7D-3F0B-4AF7-8C7C-C8AE7CD57525_12172024125634383.dllGet hashmaliciousUnknownBrowse
                                                                            • 150.171.28.10
                                                                            checkip.dyndns.comMT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 193.122.130.0
                                                                            Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.130.0
                                                                            rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.130.0
                                                                            Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 158.101.44.242
                                                                            Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 158.101.44.242
                                                                            Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 132.226.247.73
                                                                            Requested Documentation.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 158.101.44.242
                                                                            YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.6.168
                                                                            PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            • 132.226.247.73
                                                                            PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            • 193.122.6.168
                                                                            reallyfreegeoip.orgMT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 104.21.67.152
                                                                            Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 104.21.67.152
                                                                            Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 104.21.67.152
                                                                            YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            • 104.21.67.152
                                                                            PAYMENT ADVICE 750013-1012449943-81347-pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            Overheaped237.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            • 104.21.67.152

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            ORACLE-BMC-31898USMT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 193.122.130.0
                                                                            Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.130.0
                                                                            rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.130.0
                                                                            nshkmips.elfGet hashmaliciousMiraiBrowse
                                                                            • 132.145.36.70
                                                                            Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 158.101.44.242
                                                                            Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 158.101.44.242
                                                                            nshkarm.elfGet hashmaliciousMiraiBrowse
                                                                            • 140.238.15.102
                                                                            nshsh4.elfGet hashmaliciousMiraiBrowse
                                                                            • 140.238.98.44
                                                                            Requested Documentation.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 158.101.44.242
                                                                            YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 193.122.6.168
                                                                            CLOUDFLARENETUShttps://www.canva.com/design/DAGaHpv1g1M/bVE7B2sT8b8T3P-e2xb64w/view?utm_content=DAGaHpv1g1M&utm_campaign=designshare&utm_medium=link2&utm_source=uniquelinks&utlId=h1ee3678e45Get hashmaliciousHTMLPhisherBrowse
                                                                            • 172.67.74.152
                                                                            Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.18.20.226
                                                                            Play Aud.htmlGet hashmaliciousUnknownBrowse
                                                                            • 104.17.25.14
                                                                            https://flowto.it/8tooc2sec?fc=0Get hashmaliciousUnknownBrowse
                                                                            • 104.18.35.227
                                                                            Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                                                            • 104.20.87.8
                                                                            vFile__0054seconds__Airborn.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                            • 104.17.25.14
                                                                            https://jkqbjwq.maxiite.comGet hashmaliciousUnknownBrowse
                                                                            • 104.16.123.96
                                                                            [External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.emlGet hashmaliciousUnknownBrowse
                                                                            • 1.1.1.1
                                                                            https://jkqbjwq.maxiite.comGet hashmaliciousHTMLPhisherBrowse
                                                                            • 172.66.43.2
                                                                            https://qulatrics.com/Get hashmaliciousUnknownBrowse
                                                                            • 104.17.25.14

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            54328bd36c14bd82ddaa0c04b25ed9adMT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 172.67.177.134
                                                                            Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            Ziraat_Bankasi_Swift_Mesaji_TXB04958T.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            Statement_3029_from_Cross_Traders_and_Logistics_ltd.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            Browser.Daemon.exeGet hashmaliciousUnknownBrowse
                                                                            • 172.67.177.134
                                                                            Browser.Daemon.exeGet hashmaliciousUnknownBrowse
                                                                            • 172.67.177.134
                                                                            Invoice DHL - AWB 2024 E4001 - 0000731.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                            • 172.67.177.134
                                                                            YU SV Payment.exeGet hashmaliciousMassLogger RATBrowse
                                                                            • 172.67.177.134
                                                                            PURCHASE ORDER TRC-090971819130-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                            • 172.67.177.134

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HUBED342024.exe.log

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\HUBED342024.exe
                                                                            File Type:ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1216
                                                                            Entropy (8bit):5.34331486778365
                                                                            Encrypted:false
                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                            Malicious:true
                                                                            Reputation:high, very likely benign file
                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):2232
                                                                            Entropy (8bit):5.379401388151058
                                                                            Encrypted:false
                                                                            SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:fLHxvIIwLgZ2KRHWLOug8s
                                                                            MD5:1A71ECE43593D19630F97D4040AEED41
                                                                            SHA1:62DF351226E518ECF6019D8CCA3356A8073551A3
                                                                            SHA-256:38F4816F96E7B0F23EF75A046B2F69A293D52C00328E1FE5D354650D647B06B0
                                                                            SHA-512:B82C360A7894B8837433F4F69EF6DEF4F6D98D7333873AD383A39462311FF3C56F43035EE6E45160518D36B2CBDC17D9396D557B78AFAF1DAFF3A1AA52BC982E
                                                                            Malicious:false
                                                                            Reputation:moderate, very likely benign file
                                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1shwjbqh.wfb.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Reputation:high, very likely benign file
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fcf5hmxf.2gr.psm1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qkrnligi.ggr.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_z3iwkv4x.r2w.ps1

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            File Type:ASCII text, with no line terminators
                                                                            Category:dropped
                                                                            Size (bytes):60
                                                                            Entropy (8bit):4.038920595031593
                                                                            Encrypted:false
                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                            Malicious:false
                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.0820640699344946
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            File name:HUBED342024.exe
                                                                            File size:756'224 bytes
                                                                            MD5:8e148751995240a3f18c5bd846783d2d
                                                                            SHA1:576f54bd58d27c1e7d779c9900388c8dfc7c02be
                                                                            SHA256:776e675ee48e029e417d5ed22ef53ccb5225660871d2152c4f4dc786eff91e62
                                                                            SHA512:c7dcdda292b45bc9c1febb4890e1617f5eab9db3bdbab85484f6374abaca2f11328163b6ab380133679a7ac764e5d7c2d46081d477420e4cff72767e93ad3bd4
                                                                            SSDEEP:12288:/DkX1pKP1zms3Y4kSTvcncIQYtbl4EMw+7H9TeOKfdgwo:/AXa1znDk+En2YzTl+79Tydzo
                                                                            TLSH:A9F4AEB8D574810DCC692B7445F2ED35126B7EAAAB70A2CE9BC87DE37A3354344247C2
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....hg..............0.................. ... ....@.. ....................................@................................

                                                                            File Icon

                                                                            Icon Hash:1103212484000000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x4a15c6
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x6768BDF4 [Mon Dec 23 01:33:40 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [00402000h]
                                                                            add dword ptr [eax], eax
                                                                            add byte ptr [eax], al
                                                                            add al, byte ptr [eax]
                                                                            add byte ptr [eax], al
                                                                            add al, 00h
                                                                            add byte ptr [eax], al
                                                                            or byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            adc byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            and byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            inc eax
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax+00000000h], al
                                                                            add dword ptr [eax], eax
                                                                            add byte ptr [eax], al
                                                                            add al, byte ptr [eax]
                                                                            add byte ptr [eax], al
                                                                            add al, 00h
                                                                            add byte ptr [eax], al
                                                                            or byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            adc byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            and byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            inc eax
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax+00530000h], al
                                                                            jns 00007F7D3C69BB52h
                                                                            jnc 00007F7D3C69BB52h
                                                                            je 00007F7D3C69BB52h
                                                                            add byte ptr [ebp+00h], ch
                                                                            add byte ptr [edx+00h], dl
                                                                            add byte ptr [esi+00h], ah
                                                                            insb
                                                                            add byte ptr [ebp+00h], ah
                                                                            arpl word ptr [eax], ax
                                                                            je 00007F7D3C69BB52h
                                                                            imul eax, dword ptr [eax], 006E006Fh
                                                                            add byte ptr [ecx+00h], al
                                                                            jnc 00007F7D3C69BB52h
                                                                            jnc 00007F7D3C69BB52h
                                                                            add byte ptr [ebp+00h], ch
                                                                            bound eax, dword ptr [eax]
                                                                            insb
                                                                            add byte ptr [ecx+00h], bh
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            dec esp
                                                                            add byte ptr [edi+00h], ch
                                                                            popad
                                                                            add byte ptr [eax+eax+00h], ah
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xa15740x4f.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x18c3c.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x20000x9f64c0x9f8005d599ece28f0090ec7e83eab5b7eb9d3False0.7604636069749217data7.3371981191853IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0xa20000x18c3c0x18e001cefffe0cb4aa7151f4751cf34ec6251False0.1884422110552764data3.2194358174016275IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0xbc0000xc0x200612595092601871d2b2defbc7f573a02False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_ICON0xa21f00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 23622 x 23622 px/m0.3324468085106383
                                                                            RT_ICON0xa26580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 23622 x 23622 px/m0.25117260787992496
                                                                            RT_ICON0xa37000x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 23622 x 23622 px/m0.2183609958506224
                                                                            RT_ICON0xa5ca80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 23622 x 23622 px/m0.19550070854983467
                                                                            RT_ICON0xa9ed00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 23622 x 23622 px/m0.1723796285342482
                                                                            RT_GROUP_ICON0xba6f80x4cdata0.75
                                                                            RT_VERSION0xba7440x30cdata0.4269230769230769
                                                                            RT_MANIFEST0xbaa500x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-12-23T21:50:16.133490+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649718193.122.6.16880TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 23, 2024 21:50:10.922015905 CET4971880192.168.2.6193.122.6.168
                                                                            Dec 23, 2024 21:50:11.041975975 CET8049718193.122.6.168192.168.2.6
                                                                            Dec 23, 2024 21:50:11.042073011 CET4971880192.168.2.6193.122.6.168
                                                                            Dec 23, 2024 21:50:11.042315960 CET4971880192.168.2.6193.122.6.168
                                                                            Dec 23, 2024 21:50:11.161885977 CET8049718193.122.6.168192.168.2.6
                                                                            Dec 23, 2024 21:50:15.152455091 CET8049718193.122.6.168192.168.2.6
                                                                            Dec 23, 2024 21:50:15.157243013 CET4971880192.168.2.6193.122.6.168
                                                                            Dec 23, 2024 21:50:15.278873920 CET8049718193.122.6.168192.168.2.6
                                                                            Dec 23, 2024 21:50:16.093729973 CET8049718193.122.6.168192.168.2.6
                                                                            Dec 23, 2024 21:50:16.133490086 CET4971880192.168.2.6193.122.6.168
                                                                            Dec 23, 2024 21:50:16.233658075 CET49723443192.168.2.6172.67.177.134
                                                                            Dec 23, 2024 21:50:16.233695984 CET44349723172.67.177.134192.168.2.6
                                                                            Dec 23, 2024 21:50:16.233769894 CET49723443192.168.2.6172.67.177.134
                                                                            Dec 23, 2024 21:50:16.241574049 CET49723443192.168.2.6172.67.177.134
                                                                            Dec 23, 2024 21:50:16.241588116 CET44349723172.67.177.134192.168.2.6
                                                                            Dec 23, 2024 21:50:17.493551016 CET44349723172.67.177.134192.168.2.6
                                                                            Dec 23, 2024 21:50:17.493635893 CET49723443192.168.2.6172.67.177.134
                                                                            Dec 23, 2024 21:50:17.496227026 CET49723443192.168.2.6172.67.177.134
                                                                            Dec 23, 2024 21:50:17.496238947 CET44349723172.67.177.134192.168.2.6
                                                                            Dec 23, 2024 21:50:17.496514082 CET44349723172.67.177.134192.168.2.6
                                                                            Dec 23, 2024 21:50:17.539736986 CET49723443192.168.2.6172.67.177.134
                                                                            Dec 23, 2024 21:50:17.548283100 CET49723443192.168.2.6172.67.177.134
                                                                            Dec 23, 2024 21:50:17.595335960 CET44349723172.67.177.134192.168.2.6
                                                                            Dec 23, 2024 21:50:17.942464113 CET44349723172.67.177.134192.168.2.6
                                                                            Dec 23, 2024 21:50:17.942527056 CET44349723172.67.177.134192.168.2.6
                                                                            Dec 23, 2024 21:50:17.942575932 CET49723443192.168.2.6172.67.177.134
                                                                            Dec 23, 2024 21:50:17.948554993 CET49723443192.168.2.6172.67.177.134
                                                                            Dec 23, 2024 21:51:21.093727112 CET8049718193.122.6.168192.168.2.6
                                                                            Dec 23, 2024 21:51:21.093803883 CET4971880192.168.2.6193.122.6.168
                                                                            Dec 23, 2024 21:51:56.103060961 CET4971880192.168.2.6193.122.6.168
                                                                            Dec 23, 2024 21:51:56.222882986 CET8049718193.122.6.168192.168.2.6

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 23, 2024 21:50:10.750117064 CET6488753192.168.2.61.1.1.1
                                                                            Dec 23, 2024 21:50:10.887698889 CET53648871.1.1.1192.168.2.6
                                                                            Dec 23, 2024 21:50:16.095273018 CET6159653192.168.2.61.1.1.1
                                                                            Dec 23, 2024 21:50:16.233011007 CET53615961.1.1.1192.168.2.6

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Dec 23, 2024 21:50:10.750117064 CET192.168.2.61.1.1.10x4facStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                            Dec 23, 2024 21:50:16.095273018 CET192.168.2.61.1.1.10x858fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Dec 23, 2024 21:50:10.887698889 CET1.1.1.1192.168.2.60x4facNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 23, 2024 21:50:10.887698889 CET1.1.1.1192.168.2.60x4facNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                            Dec 23, 2024 21:50:10.887698889 CET1.1.1.1192.168.2.60x4facNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                            Dec 23, 2024 21:50:10.887698889 CET1.1.1.1192.168.2.60x4facNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                            Dec 23, 2024 21:50:10.887698889 CET1.1.1.1192.168.2.60x4facNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                            Dec 23, 2024 21:50:10.887698889 CET1.1.1.1192.168.2.60x4facNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                            Dec 23, 2024 21:50:16.233011007 CET1.1.1.1192.168.2.60x858fNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                            Dec 23, 2024 21:50:16.233011007 CET1.1.1.1192.168.2.60x858fNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                            Dec 23, 2024 21:51:10.421441078 CET1.1.1.1192.168.2.60x9890No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                            Dec 23, 2024 21:51:10.421441078 CET1.1.1.1192.168.2.60x9890No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false
                                                                            Dec 23, 2024 21:51:10.421441078 CET1.1.1.1192.168.2.60x9890No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • reallyfreegeoip.org
                                                                            • checkip.dyndns.org

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.649718193.122.6.168807560C:\Users\user\Desktop\HUBED342024.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            Dec 23, 2024 21:50:11.042315960 CET151OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Connection: Keep-Alive
                                                                            Dec 23, 2024 21:50:15.152455091 CET273INHTTP/1.1 200 OK
                                                                            Date: Mon, 23 Dec 2024 20:50:14 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                            Dec 23, 2024 21:50:15.157243013 CET127OUTGET / HTTP/1.1
                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                            Host: checkip.dyndns.org
                                                                            Dec 23, 2024 21:50:16.093729973 CET273INHTTP/1.1 200 OK
                                                                            Date: Mon, 23 Dec 2024 20:50:15 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 104
                                                                            Connection: keep-alive
                                                                            Cache-Control: no-cache
                                                                            Pragma: no-cache
                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.649723172.67.177.1344437560C:\Users\user\Desktop\HUBED342024.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-23 20:50:17 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                            Host: reallyfreegeoip.org
                                                                            Connection: Keep-Alive
                                                                            2024-12-23 20:50:17 UTC862INHTTP/1.1 200 OK
                                                                            Date: Mon, 23 Dec 2024 20:50:17 GMT
                                                                            Content-Type: text/xml
                                                                            Content-Length: 362
                                                                            Connection: close
                                                                            Age: 301806
                                                                            Cache-Control: max-age=31536000
                                                                            cf-cache-status: HIT
                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=v9jhbe%2BosL0ith0e9C5oGZlY7T92BjqBrNqf1w%2BKqrwNwUwaYYFeJu%2FJAO933OjgAzDANXLX%2Fk0%2B5UgeB9riUApDp70BwXuGwIaL1KVJlb2O4zw3PwW4TKGl472AVXq9QUC%2F%2B1k8"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f6b391d0988330c-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2300&min_rtt=2142&rtt_var=916&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1363211&cwnd=190&unsent_bytes=0&cid=c0f0b7dda63b4c8b&ts=460&x=0"
                                                                            2024-12-23 20:50:17 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:1
                                                                            Start time:15:50:08
                                                                            Start date:23/12/2024
                                                                            Path:C:\Users\user\Desktop\HUBED342024.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\HUBED342024.exe"
                                                                            Imagebase:0x800000
                                                                            File size:756'224 bytes
                                                                            MD5 hash:8E148751995240A3F18C5BD846783D2D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2181052353.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2181052353.0000000003BC8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:4
                                                                            Start time:15:50:09
                                                                            Start date:23/12/2024
                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\HUBED342024.exe"
                                                                            Imagebase:0xb40000
                                                                            File size:433'152 bytes
                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:5
                                                                            Start time:15:50:09
                                                                            Start date:23/12/2024
                                                                            Path:C:\Users\user\Desktop\HUBED342024.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\HUBED342024.exe"
                                                                            Imagebase:0x500000
                                                                            File size:756'224 bytes
                                                                            MD5 hash:8E148751995240A3F18C5BD846783D2D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.3423260696.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3425599530.0000000002A54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:6
                                                                            Start time:15:50:09
                                                                            Start date:23/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff66e660000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:7
                                                                            Start time:15:50:11
                                                                            Start date:23/12/2024
                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                            Imagebase:0x7ff717f30000
                                                                            File size:496'640 bytes
                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:false
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:9.6%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:0%
                                                                              Total number of Nodes:328
                                                                              Total number of Limit Nodes:14
                                                                              execution_graph 47485 5151940 47486 5151986 47485->47486 47487 5151a73 47486->47487 47490 5151b20 47486->47490 47493 5151b0f 47486->47493 47497 5151458 47490->47497 47494 5151b20 47493->47494 47495 5151458 DuplicateHandle 47494->47495 47496 5151b4e 47495->47496 47496->47487 47498 5151b88 DuplicateHandle 47497->47498 47499 5151b4e 47498->47499 47499->47487 47613 729a0dc 47614 729a0e2 47613->47614 47615 729a0ed 47614->47615 47619 729ac68 47614->47619 47635 729acde 47614->47635 47652 729ac78 47614->47652 47620 729ac78 47619->47620 47668 729b48b 47620->47668 47673 729b656 47620->47673 47677 729b134 47620->47677 47682 729b29c 47620->47682 47687 729b758 47620->47687 47692 729b399 47620->47692 47697 729b5a6 47620->47697 47705 729b7e7 47620->47705 47710 729b1c7 47620->47710 47715 729b4e5 47620->47715 47720 729b445 47620->47720 47731 729b0c2 47620->47731 47736 729b220 47620->47736 47621 729ac9a 47621->47615 47636 729ac6c 47635->47636 47638 729ace1 47635->47638 47639 729b48b 2 API calls 47636->47639 47640 729b220 4 API calls 47636->47640 47641 729b0c2 2 API calls 47636->47641 47642 729b445 4 API calls 47636->47642 47643 729b4e5 2 API calls 47636->47643 47644 729b1c7 2 API calls 47636->47644 47645 729b7e7 2 API calls 47636->47645 47646 729b5a6 4 API calls 47636->47646 47647 729b399 2 API calls 47636->47647 47648 729b758 2 API calls 47636->47648 47649 729b29c 2 API calls 47636->47649 47650 729b134 2 API calls 47636->47650 47651 729b656 2 API calls 47636->47651 47637 729ac9a 47637->47615 47638->47615 47639->47637 47640->47637 47641->47637 47642->47637 47643->47637 47644->47637 47645->47637 47646->47637 47647->47637 47648->47637 47649->47637 47650->47637 47651->47637 47653 729ac92 47652->47653 47655 729b48b 2 API calls 47653->47655 47656 729b220 4 API calls 47653->47656 47657 729b0c2 2 API calls 47653->47657 47658 729b445 4 API calls 47653->47658 47659 729b4e5 2 API calls 47653->47659 47660 729b1c7 2 API calls 47653->47660 47661 729b7e7 2 API calls 47653->47661 47662 729b5a6 4 API calls 47653->47662 47663 729b399 2 API calls 47653->47663 47664 729b758 2 API calls 47653->47664 47665 729b29c 2 API calls 47653->47665 47666 729b134 2 API calls 47653->47666 47667 729b656 2 API calls 47653->47667 47654 729ac9a 47654->47615 47655->47654 47656->47654 47657->47654 47658->47654 47659->47654 47660->47654 47661->47654 47662->47654 47663->47654 47664->47654 47665->47654 47666->47654 47667->47654 47670 729b28e 47668->47670 47669 729b907 47669->47621 47670->47668 47670->47669 47744 72996a8 47670->47744 47748 72996a0 47670->47748 47752 7299509 47673->47752 47756 7299510 47673->47756 47674 729b673 47678 729b14a 47677->47678 47760 7299930 47678->47760 47764 7299924 47678->47764 47683 729b2b6 47682->47683 47768 7299459 47683->47768 47772 7299460 47683->47772 47684 729b2ce 47684->47621 47690 7299509 Wow64SetThreadContext 47687->47690 47691 7299510 Wow64SetThreadContext 47687->47691 47688 729b425 47688->47687 47689 729bb93 47688->47689 47690->47688 47691->47688 47693 729b39f 47692->47693 47776 7299790 47693->47776 47780 7299798 47693->47780 47694 729b2ed 47694->47621 47698 729b229 47697->47698 47698->47697 47699 729b23b 47698->47699 47701 72996a8 WriteProcessMemory 47698->47701 47702 72996a0 WriteProcessMemory 47698->47702 47784 72995e8 47699->47784 47788 72995e0 47699->47788 47700 729b94a 47700->47621 47701->47698 47702->47698 47707 729b28e 47705->47707 47706 729b907 47706->47621 47707->47706 47708 72996a8 WriteProcessMemory 47707->47708 47709 72996a0 WriteProcessMemory 47707->47709 47708->47707 47709->47707 47711 729b1cd 47710->47711 47712 729b204 47711->47712 47713 7299930 CreateProcessA 47711->47713 47714 7299924 CreateProcessA 47711->47714 47712->47712 47713->47712 47714->47712 47716 729b2b6 47715->47716 47717 729b2ce 47715->47717 47718 7299459 ResumeThread 47716->47718 47719 7299460 ResumeThread 47716->47719 47717->47621 47718->47717 47719->47717 47727 72996a8 WriteProcessMemory 47720->47727 47728 72996a0 WriteProcessMemory 47720->47728 47721 729bacb 47721->47621 47722 729b23b 47729 72995e8 VirtualAllocEx 47722->47729 47730 72995e0 VirtualAllocEx 47722->47730 47723 729b94a 47723->47621 47724 729b229 47724->47721 47724->47722 47725 72996a8 WriteProcessMemory 47724->47725 47726 72996a0 WriteProcessMemory 47724->47726 47725->47724 47726->47724 47727->47724 47728->47724 47729->47723 47730->47723 47732 729b135 47731->47732 47734 7299930 CreateProcessA 47732->47734 47735 7299924 CreateProcessA 47732->47735 47733 729b204 47733->47733 47734->47733 47735->47733 47739 729b229 47736->47739 47737 729b23b 47740 72995e8 VirtualAllocEx 47737->47740 47741 72995e0 VirtualAllocEx 47737->47741 47738 729b94a 47738->47621 47739->47737 47742 72996a8 WriteProcessMemory 47739->47742 47743 72996a0 WriteProcessMemory 47739->47743 47740->47738 47741->47738 47742->47739 47743->47739 47745 72996f0 WriteProcessMemory 47744->47745 47747 7299747 47745->47747 47747->47670 47749 72996a8 WriteProcessMemory 47748->47749 47751 7299747 47749->47751 47751->47670 47753 7299510 Wow64SetThreadContext 47752->47753 47755 729959d 47753->47755 47755->47674 47757 7299555 Wow64SetThreadContext 47756->47757 47759 729959d 47757->47759 47759->47674 47761 72999b9 CreateProcessA 47760->47761 47763 7299b7b 47761->47763 47763->47763 47765 72999b9 CreateProcessA 47764->47765 47767 7299b7b 47765->47767 47767->47767 47769 7299460 ResumeThread 47768->47769 47771 72994d1 47769->47771 47771->47684 47773 72994a0 ResumeThread 47772->47773 47775 72994d1 47773->47775 47775->47684 47777 72997e3 ReadProcessMemory 47776->47777 47779 7299827 47777->47779 47779->47694 47781 72997e3 ReadProcessMemory 47780->47781 47783 7299827 47781->47783 47783->47694 47785 7299628 VirtualAllocEx 47784->47785 47787 7299665 47785->47787 47787->47700 47789 72995e8 VirtualAllocEx 47788->47789 47791 7299665 47789->47791 47791->47700 47792 ebd01c 47793 ebd034 47792->47793 47794 ebd08e 47793->47794 47799 5154ed4 47793->47799 47808 51562c8 47793->47808 47812 51562b8 47793->47812 47816 5157028 47793->47816 47800 5154edf 47799->47800 47801 5157099 47800->47801 47803 5157089 47800->47803 47838 5154ffc 47801->47838 47825 51571c0 47803->47825 47829 515728c 47803->47829 47834 51571b2 47803->47834 47804 5157097 47809 51562ee 47808->47809 47810 5154ed4 CallWindowProcW 47809->47810 47811 515630f 47810->47811 47811->47794 47813 51562ee 47812->47813 47814 5154ed4 CallWindowProcW 47813->47814 47815 515630f 47814->47815 47815->47794 47817 5157065 47816->47817 47818 5157099 47817->47818 47820 5157089 47817->47820 47819 5154ffc CallWindowProcW 47818->47819 47821 5157097 47819->47821 47822 51571c0 CallWindowProcW 47820->47822 47823 51571b2 CallWindowProcW 47820->47823 47824 515728c CallWindowProcW 47820->47824 47822->47821 47823->47821 47824->47821 47826 51571d4 47825->47826 47842 5157278 47826->47842 47827 5157260 47827->47804 47830 515724a 47829->47830 47831 515729a 47829->47831 47833 5157278 CallWindowProcW 47830->47833 47832 5157260 47832->47804 47833->47832 47836 51571c0 47834->47836 47835 5157260 47835->47804 47837 5157278 CallWindowProcW 47836->47837 47837->47835 47839 5155007 47838->47839 47840 515877a CallWindowProcW 47839->47840 47841 5158729 47839->47841 47840->47841 47841->47804 47843 5157289 47842->47843 47845 51586b0 47842->47845 47843->47827 47846 5154ffc CallWindowProcW 47845->47846 47847 51586ca 47846->47847 47847->47843 47500 f04668 47501 f0467a 47500->47501 47502 f04686 47501->47502 47506 f04779 47501->47506 47511 f03e40 47502->47511 47504 f046a5 47507 f0479d 47506->47507 47515 f04888 47507->47515 47519 f04879 47507->47519 47512 f03e4b 47511->47512 47527 f05d4c 47512->47527 47514 f0716a 47514->47504 47516 f048af 47515->47516 47517 f0498c 47516->47517 47523 f044c4 47516->47523 47520 f04888 47519->47520 47521 f0498c 47520->47521 47522 f044c4 CreateActCtxA 47520->47522 47521->47521 47522->47521 47524 f05918 CreateActCtxA 47523->47524 47526 f059db 47524->47526 47528 f05d57 47527->47528 47531 f05d6c 47528->47531 47530 f0aeb5 47530->47514 47532 f05d77 47531->47532 47535 f05d9c 47532->47535 47534 f0af9a 47534->47530 47536 f05da7 47535->47536 47539 f05dcc 47536->47539 47538 f0b08d 47538->47534 47541 f05dd7 47539->47541 47540 f0c629 47540->47538 47541->47540 47544 515166e 47541->47544 47549 5151678 47541->47549 47546 5151699 47544->47546 47545 51516bd 47545->47540 47546->47545 47554 5151817 47546->47554 47558 5151828 47546->47558 47550 5151699 47549->47550 47551 51516bd 47550->47551 47552 5151817 CreateWindowExW 47550->47552 47553 5151828 CreateWindowExW 47550->47553 47551->47540 47552->47551 47553->47551 47555 5151828 47554->47555 47556 515186f 47555->47556 47562 5151390 47555->47562 47556->47545 47560 5151835 47558->47560 47559 515186f 47559->47545 47560->47559 47561 5151390 CreateWindowExW 47560->47561 47561->47559 47563 515139b 47562->47563 47565 5152180 47563->47565 47566 51514bc 47563->47566 47565->47565 47567 51514c7 47566->47567 47571 5153f80 47567->47571 47576 5153f68 47567->47576 47568 5152229 47568->47565 47573 51540b1 47571->47573 47574 5153fb1 47571->47574 47572 5153fbd 47572->47568 47573->47568 47574->47572 47575 51551e0 CreateWindowExW 47574->47575 47575->47573 47577 5153f80 47576->47577 47578 5153fbd 47577->47578 47579 51551e0 CreateWindowExW 47577->47579 47578->47568 47579->47578 47598 f0ecd8 47601 f0edc2 47598->47601 47599 f0ece7 47602 f0ee04 47601->47602 47603 f0ede1 47601->47603 47602->47599 47603->47602 47604 f0f008 GetModuleHandleW 47603->47604 47605 f0f035 47604->47605 47605->47599 47606 729be80 47607 729c00b 47606->47607 47609 729bea6 47606->47609 47609->47607 47610 72982bc 47609->47610 47611 729c100 PostMessageW 47610->47611 47612 729c16c 47611->47612 47612->47609 47580 7033318 47582 7033366 DrawTextExW 47580->47582 47583 70333be 47582->47583 47848 515b4e8 47849 515b515 47848->47849 47884 515b0e8 47849->47884 47852 515b0e8 CreateWindowExW 47853 515b5a9 47852->47853 47854 515b0e8 CreateWindowExW 47853->47854 47855 515b5db 47854->47855 47856 515b0e8 CreateWindowExW 47855->47856 47857 515b60d 47856->47857 47888 515b0f8 47857->47888 47860 515b0f8 CreateWindowExW 47861 515b671 47860->47861 47862 515b0f8 CreateWindowExW 47861->47862 47863 515b6a3 47862->47863 47864 515b0f8 CreateWindowExW 47863->47864 47865 515b6d5 47864->47865 47866 515b0f8 CreateWindowExW 47865->47866 47867 515b707 47866->47867 47868 515b0f8 CreateWindowExW 47867->47868 47869 515b739 47868->47869 47870 515b0f8 CreateWindowExW 47869->47870 47871 515b76b 47870->47871 47872 515b0f8 CreateWindowExW 47871->47872 47873 515b79d 47872->47873 47874 515b0f8 CreateWindowExW 47873->47874 47875 515b7cf 47874->47875 47876 515b0f8 CreateWindowExW 47875->47876 47877 515b801 47876->47877 47878 515b0f8 CreateWindowExW 47877->47878 47879 515ba59 47878->47879 47880 515b0e8 CreateWindowExW 47879->47880 47881 515ba8b 47880->47881 47882 515b0f8 CreateWindowExW 47881->47882 47883 515babd 47882->47883 47885 515b0f3 47884->47885 47886 515b577 47885->47886 47892 515b1f8 47885->47892 47886->47852 47889 515b103 47888->47889 47890 515b398 CreateWindowExW 47889->47890 47891 515b63f 47890->47891 47891->47860 47893 515b203 47892->47893 47895 f0c329 CreateWindowExW 47893->47895 47896 f05dcc CreateWindowExW 47893->47896 47894 515e19c 47894->47886 47895->47894 47896->47894 47584 515e40b 47585 515e410 47584->47585 47588 515b398 47585->47588 47587 515e41f 47589 515b3a3 47588->47589 47590 515e452 47589->47590 47592 f05dcc CreateWindowExW 47589->47592 47593 f0c329 47589->47593 47590->47587 47592->47590 47595 f0c363 47593->47595 47594 f0c629 47594->47590 47595->47594 47596 515166e CreateWindowExW 47595->47596 47597 5151678 CreateWindowExW 47595->47597 47596->47594 47597->47594

                                                                              Executed Functions

                                                                              Function 07293750 Relevance: .1, Instructions: 59COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 5f2b68ad8136732f7e70325c9f3f155fcfa86c542e36377d835861d70bc3885a
                                                                              • Instruction ID: 384fb5fa962e911dc091c38956ed18b1ff50f04a9bfd625213badcefd66c6854
                                                                              • Opcode Fuzzy Hash: 5f2b68ad8136732f7e70325c9f3f155fcfa86c542e36377d835861d70bc3885a
                                                                              • Instruction Fuzzy Hash: 482108B1D146588BEB18CFA6C9143DEFAF7AFC9300F08C56AD509B6254DBB80A458F90
                                                                              Function 07299924 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2124 7299924-72999c5 2126 72999fe-7299a1e 2124->2126 2127 72999c7-72999d1 2124->2127 2134 7299a20-7299a2a 2126->2134 2135 7299a57-7299a86 2126->2135 2127->2126 2128 72999d3-72999d5 2127->2128 2129 72999f8-72999fb 2128->2129 2130 72999d7-72999e1 2128->2130 2129->2126 2132 72999e3 2130->2132 2133 72999e5-72999f4 2130->2133 2132->2133 2133->2133 2136 72999f6 2133->2136 2134->2135 2137 7299a2c-7299a2e 2134->2137 2141 7299a88-7299a92 2135->2141 2142 7299abf-7299b79 CreateProcessA 2135->2142 2136->2129 2139 7299a51-7299a54 2137->2139 2140 7299a30-7299a3a 2137->2140 2139->2135 2143 7299a3c 2140->2143 2144 7299a3e-7299a4d 2140->2144 2141->2142 2145 7299a94-7299a96 2141->2145 2155 7299b7b-7299b81 2142->2155 2156 7299b82-7299c08 2142->2156 2143->2144 2144->2144 2146 7299a4f 2144->2146 2147 7299ab9-7299abc 2145->2147 2148 7299a98-7299aa2 2145->2148 2146->2139 2147->2142 2150 7299aa4 2148->2150 2151 7299aa6-7299ab5 2148->2151 2150->2151 2151->2151 2152 7299ab7 2151->2152 2152->2147 2155->2156 2166 7299c18-7299c1c 2156->2166 2167 7299c0a-7299c0e 2156->2167 2168 7299c2c-7299c30 2166->2168 2169 7299c1e-7299c22 2166->2169 2167->2166 2170 7299c10 2167->2170 2172 7299c40-7299c44 2168->2172 2173 7299c32-7299c36 2168->2173 2169->2168 2171 7299c24 2169->2171 2170->2166 2171->2168 2175 7299c56-7299c5d 2172->2175 2176 7299c46-7299c4c 2172->2176 2173->2172 2174 7299c38 2173->2174 2174->2172 2177 7299c5f-7299c6e 2175->2177 2178 7299c74 2175->2178 2176->2175 2177->2178 2179 7299c75 2178->2179 2179->2179
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07299B66
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 650cd5e34861624428459dc70d3946f1f615da73b5272e3c9b7d5c097e68d8de
                                                                              • Instruction ID: 9da750a5f08a20fdb92f60431d35a1befe1ce2d456d7e30ca7847ba26e236eab
                                                                              • Opcode Fuzzy Hash: 650cd5e34861624428459dc70d3946f1f615da73b5272e3c9b7d5c097e68d8de
                                                                              • Instruction Fuzzy Hash: 1AA14CB1D1021ADFEF14CFA9CC417DDBBB6AF88310F1881A9E848A7240D774A981CF91
                                                                              Function 07299930 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2181 7299930-72999c5 2183 72999fe-7299a1e 2181->2183 2184 72999c7-72999d1 2181->2184 2191 7299a20-7299a2a 2183->2191 2192 7299a57-7299a86 2183->2192 2184->2183 2185 72999d3-72999d5 2184->2185 2186 72999f8-72999fb 2185->2186 2187 72999d7-72999e1 2185->2187 2186->2183 2189 72999e3 2187->2189 2190 72999e5-72999f4 2187->2190 2189->2190 2190->2190 2193 72999f6 2190->2193 2191->2192 2194 7299a2c-7299a2e 2191->2194 2198 7299a88-7299a92 2192->2198 2199 7299abf-7299b79 CreateProcessA 2192->2199 2193->2186 2196 7299a51-7299a54 2194->2196 2197 7299a30-7299a3a 2194->2197 2196->2192 2200 7299a3c 2197->2200 2201 7299a3e-7299a4d 2197->2201 2198->2199 2202 7299a94-7299a96 2198->2202 2212 7299b7b-7299b81 2199->2212 2213 7299b82-7299c08 2199->2213 2200->2201 2201->2201 2203 7299a4f 2201->2203 2204 7299ab9-7299abc 2202->2204 2205 7299a98-7299aa2 2202->2205 2203->2196 2204->2199 2207 7299aa4 2205->2207 2208 7299aa6-7299ab5 2205->2208 2207->2208 2208->2208 2209 7299ab7 2208->2209 2209->2204 2212->2213 2223 7299c18-7299c1c 2213->2223 2224 7299c0a-7299c0e 2213->2224 2225 7299c2c-7299c30 2223->2225 2226 7299c1e-7299c22 2223->2226 2224->2223 2227 7299c10 2224->2227 2229 7299c40-7299c44 2225->2229 2230 7299c32-7299c36 2225->2230 2226->2225 2228 7299c24 2226->2228 2227->2223 2228->2225 2232 7299c56-7299c5d 2229->2232 2233 7299c46-7299c4c 2229->2233 2230->2229 2231 7299c38 2230->2231 2231->2229 2234 7299c5f-7299c6e 2232->2234 2235 7299c74 2232->2235 2233->2232 2234->2235 2236 7299c75 2235->2236 2236->2236
                                                                              APIs
                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07299B66
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: CreateProcess
                                                                              • String ID:
                                                                              • API String ID: 963392458-0
                                                                              • Opcode ID: 180b3db130c75c1430db7e01593a6dbeef04de7f95a5958abdbdd4b7c74fc45f
                                                                              • Instruction ID: 6c38a68708d50c0daff079dcf360c7896f703c0b52cafeba02061d5a8efbe93a
                                                                              • Opcode Fuzzy Hash: 180b3db130c75c1430db7e01593a6dbeef04de7f95a5958abdbdd4b7c74fc45f
                                                                              • Instruction Fuzzy Hash: EF914DB1D1025ADFEF14DF69CC417DDBBB6AF88320F1881A9E848A7240D774A985CF91
                                                                              Function 00F0EDC2 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2238 f0edc2-f0eddf 2239 f0ede1-f0edee call f0e794 2238->2239 2240 f0ee0b-f0ee0f 2238->2240 2246 f0edf0 2239->2246 2247 f0ee04 2239->2247 2242 f0ee11-f0ee1b 2240->2242 2243 f0ee23-f0ee64 2240->2243 2242->2243 2249 f0ee71-f0ee7f 2243->2249 2250 f0ee66-f0ee6e 2243->2250 2293 f0edf6 call f0f068 2246->2293 2294 f0edf6 call f0f058 2246->2294 2247->2240 2251 f0ee81-f0ee86 2249->2251 2252 f0eea3-f0eea5 2249->2252 2250->2249 2254 f0ee91 2251->2254 2255 f0ee88-f0ee8f call f0e7a0 2251->2255 2257 f0eea8-f0eeaf 2252->2257 2253 f0edfc-f0edfe 2253->2247 2256 f0ef40-f0f000 2253->2256 2259 f0ee93-f0eea1 2254->2259 2255->2259 2288 f0f002-f0f005 2256->2288 2289 f0f008-f0f033 GetModuleHandleW 2256->2289 2260 f0eeb1-f0eeb9 2257->2260 2261 f0eebc-f0eec3 2257->2261 2259->2257 2260->2261 2262 f0eed0-f0eed9 call f0e7b0 2261->2262 2263 f0eec5-f0eecd 2261->2263 2269 f0eee6-f0eeeb 2262->2269 2270 f0eedb-f0eee3 2262->2270 2263->2262 2271 f0ef09-f0ef16 2269->2271 2272 f0eeed-f0eef4 2269->2272 2270->2269 2279 f0ef18-f0ef36 2271->2279 2280 f0ef39-f0ef3f 2271->2280 2272->2271 2274 f0eef6-f0ef06 call f0e7c0 call f0e7d0 2272->2274 2274->2271 2279->2280 2288->2289 2290 f0f035-f0f03b 2289->2290 2291 f0f03c-f0f050 2289->2291 2290->2291 2293->2253 2294->2253
                                                                              APIs
                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00F0F026
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2179272381.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_f00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: abfb84d543be6e3f9f4e177d4620d96026ca72b218e58cb89dc8669ca308e836
                                                                              • Instruction ID: 387f52e6097286acbf535bd2fecc213427674d719da08495a8d8c4aea1951a46
                                                                              • Opcode Fuzzy Hash: abfb84d543be6e3f9f4e177d4620d96026ca72b218e58cb89dc8669ca308e836
                                                                              • Instruction Fuzzy Hash: 96815570A00B058FD724CF29D58175ABBF1FF88310F14892DE49ADBA80D778E945DB91
                                                                              Function 05154E60 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2295 5154e60-5156176 2302 5156181-5156188 2295->2302 2303 5156178-515617e 2295->2303 2304 5156193-51561cb 2302->2304 2305 515618a-5156190 2302->2305 2303->2302 2306 51561d3-5156232 CreateWindowExW 2304->2306 2305->2304 2307 5156234-515623a 2306->2307 2308 515623b-5156273 2306->2308 2307->2308 2312 5156275-5156278 2308->2312 2313 5156280 2308->2313 2312->2313 2314 5156281 2313->2314 2314->2314
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05156222
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2184087189.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_5150000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 8531608a462a86ad3c271b6ff292d28eb6c25910714ec70267ac6b9b9b046fbb
                                                                              • Instruction ID: b2b5e6133c20073bf6c01b672979ebc5c4b23c1646e8a0272e555ddfefd4d5fc
                                                                              • Opcode Fuzzy Hash: 8531608a462a86ad3c271b6ff292d28eb6c25910714ec70267ac6b9b9b046fbb
                                                                              • Instruction Fuzzy Hash: 1B5100B1C04359DFDB14DFA9D890ADEBBB1FF88314F64812AE818AB211D7749885CF94
                                                                              Function 05156105 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2315 5156105-5156176 2316 5156181-5156188 2315->2316 2317 5156178-515617e 2315->2317 2318 5156193-51561cb 2316->2318 2319 515618a-5156190 2316->2319 2317->2316 2320 51561d3-5156232 CreateWindowExW 2318->2320 2319->2318 2321 5156234-515623a 2320->2321 2322 515623b-5156273 2320->2322 2321->2322 2326 5156275-5156278 2322->2326 2327 5156280 2322->2327 2326->2327 2328 5156281 2327->2328 2328->2328
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05156222
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2184087189.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_5150000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: 07777aa03cd64b6ff0f3b3f3b8a7edabfeb40eb1b48bda327130e2abc05e72b9
                                                                              • Instruction ID: c0e4c42cde5804afc8fcd2c9e5817943e181972bce5bb9d6e49e1a5752777579
                                                                              • Opcode Fuzzy Hash: 07777aa03cd64b6ff0f3b3f3b8a7edabfeb40eb1b48bda327130e2abc05e72b9
                                                                              • Instruction Fuzzy Hash: 4951B0B1D00349DFDF14CF99D984ADEBBB5BF48310F64862AE819AB210D7749985CF90
                                                                              Function 05154EA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2329 5154ea8-5156176 2331 5156181-5156188 2329->2331 2332 5156178-515617e 2329->2332 2333 5156193-5156232 CreateWindowExW 2331->2333 2334 515618a-5156190 2331->2334 2332->2331 2336 5156234-515623a 2333->2336 2337 515623b-5156273 2333->2337 2334->2333 2336->2337 2341 5156275-5156278 2337->2341 2342 5156280 2337->2342 2341->2342 2343 5156281 2342->2343 2343->2343
                                                                              APIs
                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05156222
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2184087189.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_5150000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: CreateWindow
                                                                              • String ID:
                                                                              • API String ID: 716092398-0
                                                                              • Opcode ID: a31e2372fa10b8beab18d836a4f3b34b11948f1941e48550cb6fdc27e500632d
                                                                              • Instruction ID: 79459c4f1c58b9e6560e42261e32d78ea2aac776042f5939e8d944552d841149
                                                                              • Opcode Fuzzy Hash: a31e2372fa10b8beab18d836a4f3b34b11948f1941e48550cb6fdc27e500632d
                                                                              • Instruction Fuzzy Hash: A951AEB1D04349EFDB14CF99D984ADEBBB5BF88310F64812AE819AB210D775A845CF90
                                                                              Function 05154FFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2344 5154ffc-515871c 2348 5158722-5158727 2344->2348 2349 51587cc-51587ec call 5154ed4 2344->2349 2350 5158729-5158760 2348->2350 2351 515877a-51587b2 CallWindowProcW 2348->2351 2356 51587ef-51587fc 2349->2356 2359 5158762-5158768 2350->2359 2360 5158769-5158778 2350->2360 2353 51587b4-51587ba 2351->2353 2354 51587bb-51587ca 2351->2354 2353->2354 2354->2356 2359->2360 2360->2356
                                                                              APIs
                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 051587A1
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2184087189.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_5150000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: CallProcWindow
                                                                              • String ID:
                                                                              • API String ID: 2714655100-0
                                                                              • Opcode ID: b57538f8b6d8c3e490f91c0a9c7c6c74d5c72b035c73c982f00fca6908256423
                                                                              • Instruction ID: 7269ae49b5c6ece72999a76b910d91c97586b9c0c7c90c15ec52d235cc86f177
                                                                              • Opcode Fuzzy Hash: b57538f8b6d8c3e490f91c0a9c7c6c74d5c72b035c73c982f00fca6908256423
                                                                              • Instruction Fuzzy Hash: 93410D78900305DFDB14DF59C448AAEBBF5FB89324F258459D529AB321D774A841CF60
                                                                              Function 00F044C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2362 f044c4-f059d9 CreateActCtxA 2365 f059e2-f05a3c 2362->2365 2366 f059db-f059e1 2362->2366 2373 f05a4b-f05a4f 2365->2373 2374 f05a3e-f05a41 2365->2374 2366->2365 2375 f05a60 2373->2375 2376 f05a51-f05a5d 2373->2376 2374->2373 2378 f05a61 2375->2378 2376->2375 2378->2378
                                                                              APIs
                                                                              • CreateActCtxA.KERNEL32(?), ref: 00F059C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2179272381.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_f00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 507b6a398d4ed22af4efc6f3b1759aa1807e1dfc6c7b8b6618e46ccfc8e4965e
                                                                              • Instruction ID: eca14f2484a80180b30d92db6f4d13f12abc1146dcc73d90ae33452a85896702
                                                                              • Opcode Fuzzy Hash: 507b6a398d4ed22af4efc6f3b1759aa1807e1dfc6c7b8b6618e46ccfc8e4965e
                                                                              • Instruction Fuzzy Hash: 9341F170C0071DCBDB24CFA9C884B8EBBB5BF89704F2081AAD409AB251DBB56945DF90
                                                                              Function 00F0590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2379 f0590c-f05912 2380 f05918-f059d9 CreateActCtxA 2379->2380 2382 f059e2-f05a3c 2380->2382 2383 f059db-f059e1 2380->2383 2390 f05a4b-f05a4f 2382->2390 2391 f05a3e-f05a41 2382->2391 2383->2382 2392 f05a60 2390->2392 2393 f05a51-f05a5d 2390->2393 2391->2390 2395 f05a61 2392->2395 2393->2392 2395->2395
                                                                              APIs
                                                                              • CreateActCtxA.KERNEL32(?), ref: 00F059C9
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2179272381.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_f00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: Create
                                                                              • String ID:
                                                                              • API String ID: 2289755597-0
                                                                              • Opcode ID: 7ff137fce01c42a9baae26d8ba3d1702ab46b49d42367667e76b11d5198ab211
                                                                              • Instruction ID: 784a538f86f0ca9db144d4201fd2ad02c65c684931e21c67cc55cee6d62508fe
                                                                              • Opcode Fuzzy Hash: 7ff137fce01c42a9baae26d8ba3d1702ab46b49d42367667e76b11d5198ab211
                                                                              • Instruction Fuzzy Hash: EB41EF70C00619CBDB24CFA9C885B8EBBF5BF49704F2081AAD409AB251DBB56946DF50
                                                                              Function 07033310 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2396 7033310-7033364 2398 7033366-703336c 2396->2398 2399 703336f-703337e 2396->2399 2398->2399 2400 7033383-70333bc DrawTextExW 2399->2400 2401 7033380 2399->2401 2402 70333c5-70333e2 2400->2402 2403 70333be-70333c4 2400->2403 2401->2400 2403->2402
                                                                              APIs
                                                                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 070333AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185368607.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7030000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: DrawText
                                                                              • String ID:
                                                                              • API String ID: 2175133113-0
                                                                              • Opcode ID: 0e41dfb8455c264905b1e57ee5006c1bd85470350ca5ae5c48ccac1dc9ee93c0
                                                                              • Instruction ID: 81466314a508d52b8054b16431c54d17395178aa3f8080923d81001a23eabd4d
                                                                              • Opcode Fuzzy Hash: 0e41dfb8455c264905b1e57ee5006c1bd85470350ca5ae5c48ccac1dc9ee93c0
                                                                              • Instruction Fuzzy Hash: 2431C4B5D002499FDB10CF9AD884ADEFBF9FF48310F24842AE919A7210D774A545CFA4
                                                                              Function 072996A0 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 2406 72996a0-72996f6 2409 72996f8-7299704 2406->2409 2410 7299706-7299745 WriteProcessMemory 2406->2410 2409->2410 2412 729974e-729977e 2410->2412 2413 7299747-729974d 2410->2413 2413->2412
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07299738
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: 03abed83903d3327dabbf727df015fe44a7e8e764d0185f08e69da5bbb91a292
                                                                              • Instruction ID: 0f6aefe255d8db9fea4fdf9bb541570939a67d719b4714e6ddd1ce22833c07dd
                                                                              • Opcode Fuzzy Hash: 03abed83903d3327dabbf727df015fe44a7e8e764d0185f08e69da5bbb91a292
                                                                              • Instruction Fuzzy Hash: C9212AB59103599FDF10CFA9C885BDEBBF5FF88320F148429E958A7240C778A950CBA4
                                                                              Function 07033318 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DrawTextExW.USER32(?,?,?,?,?,?), ref: 070333AF
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185368607.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7030000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: DrawText
                                                                              • String ID:
                                                                              • API String ID: 2175133113-0
                                                                              • Opcode ID: 51dd92832975a92a4244f0d10cc80571d644065cc161a907598008263c7e2fd6
                                                                              • Instruction ID: 3b3f8806a138daa50be93643562b4596e3763da528c83c1be93d29b61da05e50
                                                                              • Opcode Fuzzy Hash: 51dd92832975a92a4244f0d10cc80571d644065cc161a907598008263c7e2fd6
                                                                              • Instruction Fuzzy Hash: 3321A3B5D002499FDB10CF9AD884ADEFBF9FB48320F14842AE919A7310D775A544CFA4
                                                                              Function 072996A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07299738
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessWrite
                                                                              • String ID:
                                                                              • API String ID: 3559483778-0
                                                                              • Opcode ID: 937e921bf978be89b1ae516c7578c3c825c92a51803614fa948d16e49fac84b0
                                                                              • Instruction ID: ff6a40f0ff3511f5afc96d127ef6e866f97abaaf4be593077272bd31e3f38665
                                                                              • Opcode Fuzzy Hash: 937e921bf978be89b1ae516c7578c3c825c92a51803614fa948d16e49fac84b0
                                                                              • Instruction Fuzzy Hash: 68212AB59003599FDF10CFA9C885BDEBBF5FF88320F148429E558A7240C778A550CBA4
                                                                              Function 07299509 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0729958E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 983334009-0
                                                                              • Opcode ID: 48b2c1a37a195ddf196d1be1a91c610a8295f319463eb71abee698f8d70f187d
                                                                              • Instruction ID: d3ccf3d5c8da47b512193c5c0a29297985742613957440e2f6ee62ad3fe4ddfe
                                                                              • Opcode Fuzzy Hash: 48b2c1a37a195ddf196d1be1a91c610a8295f319463eb71abee698f8d70f187d
                                                                              • Instruction Fuzzy Hash: C8213AB19003099FEB10DFAAC4857EFBBF4EF88324F188429D559A7241C778A944CFA4
                                                                              Function 05151458 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05151B4E,?,?,?,?,?), ref: 05151C0F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2184087189.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_5150000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: ca1ec02859707af83304c97d1ed88cbcd6e96c09e961386611c40f05203e1f27
                                                                              • Instruction ID: 6e5d8c8af6a0fba4344de968be06a3bfc05a8e7f64b0be0a9bab479f4457880a
                                                                              • Opcode Fuzzy Hash: ca1ec02859707af83304c97d1ed88cbcd6e96c09e961386611c40f05203e1f27
                                                                              • Instruction Fuzzy Hash: CE21E6B5900249EFDB10CF99D984ADEFBF5FB48320F14841AE958A7310D379A950CFA4
                                                                              Function 05151B80 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,05151B4E,?,?,?,?,?), ref: 05151C0F
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2184087189.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_5150000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: DuplicateHandle
                                                                              • String ID:
                                                                              • API String ID: 3793708945-0
                                                                              • Opcode ID: c1d8aea046d84c9386d2f77e8ec8731633912b1d3bfbb1a0d39def4f33671400
                                                                              • Instruction ID: 04074aedb75938f3059d62a22ad671e071b4ef25cfe0dd82b50ce08f3df83bf2
                                                                              • Opcode Fuzzy Hash: c1d8aea046d84c9386d2f77e8ec8731633912b1d3bfbb1a0d39def4f33671400
                                                                              • Instruction Fuzzy Hash: DC21E5B5900249EFDB10CF9AD984ADEFBF5FB48320F14841AE958A7310D379A954CF64
                                                                              Function 07299798 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07299818
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessRead
                                                                              • String ID:
                                                                              • API String ID: 1726664587-0
                                                                              • Opcode ID: 64037d7f16ee615fcb42de0a0a85ebe6440cb32569414f5f530f966834a008bc
                                                                              • Instruction ID: a13409446accf5284711a5aa8f2604de9c759886052044f352884f09bc556a5e
                                                                              • Opcode Fuzzy Hash: 64037d7f16ee615fcb42de0a0a85ebe6440cb32569414f5f530f966834a008bc
                                                                              • Instruction Fuzzy Hash: 292128B18003599FDB10DFAAC881ADEFBF5FF88320F14842DE558A7250C738A950CBA4
                                                                              Function 07299790 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07299818
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: MemoryProcessRead
                                                                              • String ID:
                                                                              • API String ID: 1726664587-0
                                                                              • Opcode ID: 00a280ff483c74699d75253da788e99a6a95187bc5a2bb21c59cc9c792e3dbac
                                                                              • Instruction ID: 1f4190e0f9a7852411d06234a0677bf3771f03e7a735b9722caf475112759a58
                                                                              • Opcode Fuzzy Hash: 00a280ff483c74699d75253da788e99a6a95187bc5a2bb21c59cc9c792e3dbac
                                                                              • Instruction Fuzzy Hash: AC2105B18002599FDB10CFA9C981AEEBBF5FF88320F14842EE559A7250C7389950DBA4
                                                                              Function 07299510 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0729958E
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: ContextThreadWow64
                                                                              • String ID:
                                                                              • API String ID: 983334009-0
                                                                              • Opcode ID: 7c43c9b65cf2ee48542b6c8afdfb7e73eeae9e18df756eb333f7672a4135aacd
                                                                              • Instruction ID: df9f1587540025b5a3dbc7c9c439f92e971e99a50ef25f77d0dfb8077d045794
                                                                              • Opcode Fuzzy Hash: 7c43c9b65cf2ee48542b6c8afdfb7e73eeae9e18df756eb333f7672a4135aacd
                                                                              • Instruction Fuzzy Hash: 212118B19003099FEB10DFAAC4857EEBBF4EF88324F148429D559A7241D778A944CFA5
                                                                              Function 072995E0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07299656
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: d9213c8c2b79998e42d679ac5e0d04425d029dc880b160cbb9493e1a5f1d4efe
                                                                              • Instruction ID: e324e18928c6bbe1496f65be9c4e1e299e928d325efdc9a231f8ffe4efcdba93
                                                                              • Opcode Fuzzy Hash: d9213c8c2b79998e42d679ac5e0d04425d029dc880b160cbb9493e1a5f1d4efe
                                                                              • Instruction Fuzzy Hash: 591159B19002499FEF10DFA9C845BDFBBF5EF88320F148419E559A7250C735A550CBA5
                                                                              Function 072995E8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07299656
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: AllocVirtual
                                                                              • String ID:
                                                                              • API String ID: 4275171209-0
                                                                              • Opcode ID: bbf483e312bac66b4f3d029d8da9b627174fa3c422e11556eed052026c9a9107
                                                                              • Instruction ID: 52547f73d0bac4952bda272c35c61bb3f9afb1d82b5bc087f8d87b458c3c6e1c
                                                                              • Opcode Fuzzy Hash: bbf483e312bac66b4f3d029d8da9b627174fa3c422e11556eed052026c9a9107
                                                                              • Instruction Fuzzy Hash: B81167B18002499FDF10DFAAC844BDFBBF5EF88320F148419E559A7250C739A550CFA4
                                                                              Function 07299459 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: dfae76869234a1d7754e617d2d3b98204fe0c78f0e7513487dcb81a63f0fb8f8
                                                                              • Instruction ID: a694edb2f4c066763575c85214b5fbe25f0c340f57ed6b4f83b8b62fe135925f
                                                                              • Opcode Fuzzy Hash: dfae76869234a1d7754e617d2d3b98204fe0c78f0e7513487dcb81a63f0fb8f8
                                                                              • Instruction Fuzzy Hash: 19116DB19003498FEB10DFAAC4457DFFBF4EF88720F148819D559A7240C735A540CBA5
                                                                              Function 07299460 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: ResumeThread
                                                                              • String ID:
                                                                              • API String ID: 947044025-0
                                                                              • Opcode ID: 0a706c87aec1c4e55f420d86c976820e553b4f0f68b1831823da8d506123e6d7
                                                                              • Instruction ID: 27bdd80b1ee9c760fbd90d2a5fe989b71cdb626a6b2754195c76da40e903b7a4
                                                                              • Opcode Fuzzy Hash: 0a706c87aec1c4e55f420d86c976820e553b4f0f68b1831823da8d506123e6d7
                                                                              • Instruction Fuzzy Hash: DA113AB19003498FEB10DFAAC4457DEFBF4EF88724F248419D559A7240C779A540CBA5
                                                                              Function 072982BC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0729C15D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost
                                                                              • String ID:
                                                                              • API String ID: 410705778-0
                                                                              • Opcode ID: 13ae557a7fd5655ab4469202688d16be6c33f5cb6e2386eeb11038292fa768bd
                                                                              • Instruction ID: 38cd157b13eda13adb4552ad1c0464abee4e14d8079f3f9a56c573cff4432de9
                                                                              • Opcode Fuzzy Hash: 13ae557a7fd5655ab4469202688d16be6c33f5cb6e2386eeb11038292fa768bd
                                                                              • Instruction Fuzzy Hash: 831103B5800349DFDB10DF9AD884BDEBBF8EB48320F24845AE558A7210C375A984CFA5
                                                                              Function 0729C0F8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0729C15D
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: MessagePost
                                                                              • String ID:
                                                                              • API String ID: 410705778-0
                                                                              • Opcode ID: 63c8ceeac8d67ddbbd65575dab9828871520014bf67965bd65a3c2cfdadef82e
                                                                              • Instruction ID: 06c4ad60a17ccb18e68aa9e7c3ea6e47a80aa4688e71dfed1aa807b38cc341f4
                                                                              • Opcode Fuzzy Hash: 63c8ceeac8d67ddbbd65575dab9828871520014bf67965bd65a3c2cfdadef82e
                                                                              • Instruction Fuzzy Hash: 801106B5800349DFDB10DF99D845BDEFBF8EB48310F14841AD558A7600C375A584CFA5
                                                                              Function 00F0EFC0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00F0F026
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2179272381.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_f00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID:
                                                                              • API String ID: 4139908857-0
                                                                              • Opcode ID: c4a18ca98d8e79d553a85b44d748ea08358baa9a64305e8e72d5e29860c02e6f
                                                                              • Instruction ID: 6c861420414c326dc1b2d279f7c7e28bb0960aea34b533a913b56cd32caa8ed7
                                                                              • Opcode Fuzzy Hash: c4a18ca98d8e79d553a85b44d748ea08358baa9a64305e8e72d5e29860c02e6f
                                                                              • Instruction Fuzzy Hash: BC1110B5C00249CFDB20CF9AD444ADEFBF4AB88320F14842AD428B7651C379A549CFA5
                                                                              Function 00EBD01C Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2178533383.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_ebd000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 132c86036987568d11976f4834ef1d3a3cbe96a55310ce8f7a6a51db53f77d69
                                                                              • Instruction ID: e8b2cbc896d0d540d6e662f8ae4041243fa6c2013763e25dacba28b51630560f
                                                                              • Opcode Fuzzy Hash: 132c86036987568d11976f4834ef1d3a3cbe96a55310ce8f7a6a51db53f77d69
                                                                              • Instruction Fuzzy Hash: B6212271608200DFDB14EF14D980B97BB66EB88318F20C56DD80A5B292D33AD847CA61
                                                                              Function 00EBD1D4 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2178533383.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_ebd000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 997dae4a2c88fc619c7d6085ee09349173247db01ab5088e4f3a33427fd4ade7
                                                                              • Instruction ID: 391c38ac844ec182c322b54d85747e282d1ad8aaaea33a93ee27068806f80ebc
                                                                              • Opcode Fuzzy Hash: 997dae4a2c88fc619c7d6085ee09349173247db01ab5088e4f3a33427fd4ade7
                                                                              • Instruction Fuzzy Hash: 5B210471508284EFDB05DF54D9C0BA7BBA5FB84318F20C66DE9095B2A2D336D846CB61
                                                                              Function 00EBD005 Relevance: .1, Instructions: 62COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2178533383.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_ebd000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3fa99e486171a923acb9eaa64d6d6a009a851b8e7d69fc850d3e3b8c44189a8a
                                                                              • Instruction ID: 0279242a5fc3e623835c855c3bdf8e43daed8c0aae61b6edb87c6a8f8cfa130b
                                                                              • Opcode Fuzzy Hash: 3fa99e486171a923acb9eaa64d6d6a009a851b8e7d69fc850d3e3b8c44189a8a
                                                                              • Instruction Fuzzy Hash: 6F21537550D3808FCB12DF24D994756BF71EB46314F28C5DAD8498F6A7C33A980ACB62
                                                                              Function 00EBD1CF Relevance: .1, Instructions: 53COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2178533383.0000000000EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EBD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_ebd000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                              • Instruction ID: cfb389112d893072ae1a5bf0c195634bcb9751f23cc3a3765322b80cc6dfc43b
                                                                              • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                                                                              • Instruction Fuzzy Hash: 3011BB75508280DFCB02CF50C9C0B56BBA1FB84318F24C6A9D8494B2A6C33AD81ACBA1
                                                                              Function 00EAD745 Relevance: .0, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2178374362.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_ead000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 174ec931f44174d04ee43653b89c1b148b4c016a9eb8f95dcfe3a3fc42bfda9f
                                                                              • Instruction ID: 8bbc5d65a0aa856f385e891eb198eb8ded3de9ed5fa6d8cd15cbb76bb2f7071f
                                                                              • Opcode Fuzzy Hash: 174ec931f44174d04ee43653b89c1b148b4c016a9eb8f95dcfe3a3fc42bfda9f
                                                                              • Instruction Fuzzy Hash: 8401F7310083449AE7144E25CD84BA7BF98DF46324F18851BFD0A5F682C239A841C671
                                                                              Function 00EAD744 Relevance: .0, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2178374362.0000000000EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EAD000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_ead000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 61c33a01389326adf18d3871e7579ad791114ce45aa5b8d2004e43831538794d
                                                                              • Instruction ID: 520f148f00527bd30458f2bd4323b90d2229c0407bf6c8673e6a08b3afa0a64d
                                                                              • Opcode Fuzzy Hash: 61c33a01389326adf18d3871e7579ad791114ce45aa5b8d2004e43831538794d
                                                                              • Instruction Fuzzy Hash: F6F0C271008344AEE7148E15DC84B62FF98EB86738F18C05BFD091F696C279A844CBB1

                                                                              Non-executed Functions

                                                                              Function 07031DE8 Relevance: .6, Instructions: 626COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185368607.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7030000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3b1d5f68b19ccf4a59bf301966fdf06a9e6bbc4337a640be6b934fee68f00307
                                                                              • Instruction ID: d939f9f16795ed7852e1521701a565eb6a6ea785d96d8eb160e418d746f38bf3
                                                                              • Opcode Fuzzy Hash: 3b1d5f68b19ccf4a59bf301966fdf06a9e6bbc4337a640be6b934fee68f00307
                                                                              • Instruction Fuzzy Hash: 58327F70E002588FDB54DFB9C8917AEBBF6BF89300F148269E409AF395DA349D45CB91
                                                                              Function 0729DE40 Relevance: .4, Instructions: 377COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: df42ae5ddce2336513ae16c17cd287674f59276ff071741e1caee780c18be88e
                                                                              • Instruction ID: 77680ce55d2c2958120210678bdebca7d3b642066311b4d13fe46cc64e97ef6f
                                                                              • Opcode Fuzzy Hash: df42ae5ddce2336513ae16c17cd287674f59276ff071741e1caee780c18be88e
                                                                              • Instruction Fuzzy Hash: D1D19DB2B107028FDB29DB79C860B6EB7E6AF89700F18487DD14A8B391DB35E901D751
                                                                              Function 05154458 Relevance: .3, Instructions: 315COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2184087189.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_5150000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 210826c726794df70eecf30d1a288b8ce0620cd1071280a4d6c1531de0197381
                                                                              • Instruction ID: 2f043779dfcb903f53cb26a12b8128d669f155e3d3df3f63d3d900865a6e47b3
                                                                              • Opcode Fuzzy Hash: 210826c726794df70eecf30d1a288b8ce0620cd1071280a4d6c1531de0197381
                                                                              • Instruction Fuzzy Hash: AF1252F0422B458ED722CF66ED4E18D3EB1BF85318B504209E2656A6E9DFBC154BCF84
                                                                              Function 07297530 Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e135c9dabe558463de1cb4694f979eeca0c724cbc189b12ce58dd2f714cd591a
                                                                              • Instruction ID: e4537a095c681677e2b2ed184eedb3a400695e36db0dea7f35c32300f31376ed
                                                                              • Opcode Fuzzy Hash: e135c9dabe558463de1cb4694f979eeca0c724cbc189b12ce58dd2f714cd591a
                                                                              • Instruction Fuzzy Hash: C7E1FCB4E102198FDB14DFA9C5809AEFBF2FF89305F248169D418AB356D731A942CF60
                                                                              Function 072970F8 Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b90da7c9bc4aeaae054d3568c476717bd8e31b46223ceaa9ed3d38dd906bd072
                                                                              • Instruction ID: d05690cf01f34f218f523e205672f47a3e96d3ff906e16d4dd8304b33d2a9d30
                                                                              • Opcode Fuzzy Hash: b90da7c9bc4aeaae054d3568c476717bd8e31b46223ceaa9ed3d38dd906bd072
                                                                              • Instruction Fuzzy Hash: AAE1EBB4E102199FDB14DFA9C5809AEFBF2FF89305F248169D818AB356D731A941CF60
                                                                              Function 07298C38 Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 687d0a4e12ac81fb0d6977bc36a958dfa10d0d7cb4ab103e58b79fc950071504
                                                                              • Instruction ID: 86467375a9f47f13166e9779e38618710a3ecbd198209705430eb14965ccaad8
                                                                              • Opcode Fuzzy Hash: 687d0a4e12ac81fb0d6977bc36a958dfa10d0d7cb4ab103e58b79fc950071504
                                                                              • Instruction Fuzzy Hash: 86E11CB4E102198FDB14DFA9C5809AEFBF2FF89304F288169D458AB356D735A941CF60
                                                                              Function 07296CC0 Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3dbc703707f828e35ae2eda4f7395de18252759290d59b8df416dd2f12954434
                                                                              • Instruction ID: 768ff8e27758d5884ab987fadf8952f24ae672c56ea02c9a6e580f330ef3c625
                                                                              • Opcode Fuzzy Hash: 3dbc703707f828e35ae2eda4f7395de18252759290d59b8df416dd2f12954434
                                                                              • Instruction Fuzzy Hash: 2FE11CB4E102198FDB14DFA9C5809AEFBF2FF89305F248169D454AB356D731A942CF60
                                                                              Function 07296888 Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d985775b05dc8f79043f4d1860d78a3351745829d24198de7abc259144a47819
                                                                              • Instruction ID: 377ec0e59c6c6abd526b5a5095a49fd2627c77160f7e79eceafabb293962e559
                                                                              • Opcode Fuzzy Hash: d985775b05dc8f79043f4d1860d78a3351745829d24198de7abc259144a47819
                                                                              • Instruction Fuzzy Hash: 74E1FBB4E102198FDB14DFA9C590AAEFBF2FF89305F248169D414AB356D731A942CF60
                                                                              Function 07034948 Relevance: .3, Instructions: 277COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185368607.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7030000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e7dd490888d1e0680fe67709ac6df33c5fa8e6ee8e283cfdbdfd27fd08366066
                                                                              • Instruction ID: 901f4b85af6942f31ecd94ef89d375396a641099c91a580e4798549ffe41c5b7
                                                                              • Opcode Fuzzy Hash: e7dd490888d1e0680fe67709ac6df33c5fa8e6ee8e283cfdbdfd27fd08366066
                                                                              • Instruction Fuzzy Hash: 10C159B1E006599FCB54CFA5C8807ADBBF6AF88300F04C6AAE409AF255DB71D985CF50
                                                                              Function 051524E4 Relevance: .3, Instructions: 264COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2184087189.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_5150000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6b4d4b4e93ad3203ee79d83131795db88a0bf0168bf97ff1019c1228ddca1f23
                                                                              • Instruction ID: 06597016c21eabf9e842690a5252d5482396dee2bd9e1a5ee82507fa2e962ebe
                                                                              • Opcode Fuzzy Hash: 6b4d4b4e93ad3203ee79d83131795db88a0bf0168bf97ff1019c1228ddca1f23
                                                                              • Instruction Fuzzy Hash: 30A16F36E10205CFCF19DFB4D8845DEBBB2FF84310B15856AE826AB255DB71E946CB40
                                                                              Function 05154448 Relevance: .2, Instructions: 222COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2184087189.0000000005150000.00000040.00000800.00020000.00000000.sdmp, Offset: 05150000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_5150000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c672141359f4ee11df03132dcc631cfd6c67ea09d99641ff394a7c801c423b83
                                                                              • Instruction ID: 6aa4d878a0d8768114340e738d810eb781d041177b337f6721b9951846def0ea
                                                                              • Opcode Fuzzy Hash: c672141359f4ee11df03132dcc631cfd6c67ea09d99641ff394a7c801c423b83
                                                                              • Instruction Fuzzy Hash: FDC1D5F0422A458ED722CF66ED4A18D7FB1BF85314F514209E2616B6D8DFB8154BCF84
                                                                              Function 07297520 Relevance: .2, Instructions: 161COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185893723.0000000007290000.00000040.00000800.00020000.00000000.sdmp, Offset: 07290000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7290000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f347be1e4284e094393d63633b7b2d7eae9534dfb0663e26b633ab62c21c6497
                                                                              • Instruction ID: e3d6a79096f6dc0e98956bc8cb95510c47b899c1a4f1f29d4a6f495322d2492d
                                                                              • Opcode Fuzzy Hash: f347be1e4284e094393d63633b7b2d7eae9534dfb0663e26b633ab62c21c6497
                                                                              • Instruction Fuzzy Hash: 25611DB4E102198FDB14DFA9C581AAEFBF2FF89304F248169D418A7355D731A941CFA0
                                                                              Function 0703CDF0 Relevance: .1, Instructions: 118COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000001.00000002.2185368607.0000000007030000.00000040.00000800.00020000.00000000.sdmp, Offset: 07030000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_1_2_7030000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 95d194a7d90f990faf139e79d03e7eeae52edd5b60190db57fe3c4584783a351
                                                                              • Instruction ID: f8b55e729d1281b5cd164a3d2efe004a127c772e487c6fb36c91ec194bfb7e28
                                                                              • Opcode Fuzzy Hash: 95d194a7d90f990faf139e79d03e7eeae52edd5b60190db57fe3c4584783a351
                                                                              • Instruction Fuzzy Hash: F44102B1A14215CFE7109B69D4402BFB7F9EF46709F04826BE426EB2C1D738C542D761

                                                                              Executed Functions

                                                                              Function 00E0C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: N
                                                                              • API String ID: 0-1130791706
                                                                              • Opcode ID: a0b8264656f0d7f911cd6737fbde68952d4366b4629e7c81b8f5549df47fbae3
                                                                              • Instruction ID: a953abf47abd9ad7e310684f1531f20ee703df3cb5275c341e02ec75cd058866
                                                                              • Opcode Fuzzy Hash: a0b8264656f0d7f911cd6737fbde68952d4366b4629e7c81b8f5549df47fbae3
                                                                              • Instruction Fuzzy Hash: F273D731D1075A8EDB11EFA8C854AA9F7B1FF99300F11D69AE44877261EB70AAC4CF41
                                                                              Function 00E02DD1 Relevance: .3, Instructions: 269COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3d5021f2e85525a77c022f3a64de4355311072e13f23147127276946e73fbdf6
                                                                              • Instruction ID: 2e281e58d13478b1e2ecf262a96733f2eceba295c83e86f8d80f9dd432e806c4
                                                                              • Opcode Fuzzy Hash: 3d5021f2e85525a77c022f3a64de4355311072e13f23147127276946e73fbdf6
                                                                              • Instruction Fuzzy Hash: 9391C474B01358DBDB08EB7988582BEBBB7BFC8700B14886ED146E7394DE348D468791
                                                                              Function 00E09480 Relevance: .3, Instructions: 268COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b95cac50c0e714940b7c5aadefc3e96f7cbdf74b3f6b6d58421066fb07b52257
                                                                              • Instruction ID: a05ff12cd465b4c57f1604d61a465cbd3b4ee7205ab583f2f1331463ab31c7ff
                                                                              • Opcode Fuzzy Hash: b95cac50c0e714940b7c5aadefc3e96f7cbdf74b3f6b6d58421066fb07b52257
                                                                              • Instruction Fuzzy Hash: BFC1B278E04218CFDB14DFA5D944B9DBBB2BF89304F2091A9D809AB395DB359E85CF10
                                                                              Function 00E0C521 Relevance: .2, Instructions: 224COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f0cb4ff39b2bf66e3f0fbdb46f743bffa520ab5c410798946c74ff54f88dc573
                                                                              • Instruction ID: 32ab782e68f8f2fedce8f842c0768162a0f91d2c5a61b0d5e5881a5ef4892817
                                                                              • Opcode Fuzzy Hash: f0cb4ff39b2bf66e3f0fbdb46f743bffa520ab5c410798946c74ff54f88dc573
                                                                              • Instruction Fuzzy Hash: 62A1F271D006198EDB14DFA9C8846EDFBB1EF89300F10D2AAE408B7261EB709AC5CF51
                                                                              Function 00E09A30 Relevance: .2, Instructions: 221COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dbb0af4a10a66c8887c636f8c11aaad7d263d05e9d69491d9a749029b01d27e4
                                                                              • Instruction ID: 83b2ce2522281ed079958ba8bc88928bd58cbf201ad2a76a2233049e5d5c91c7
                                                                              • Opcode Fuzzy Hash: dbb0af4a10a66c8887c636f8c11aaad7d263d05e9d69491d9a749029b01d27e4
                                                                              • Instruction Fuzzy Hash: 6BA1F370E00609CFEB14DFA9D588BDDBBB1FF89304F209269E409AB292DB745985CF54
                                                                              Function 00E09A40 Relevance: .2, Instructions: 220COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7eb8201a54a3b557ebefa156c6f5fe454cc81c43e7159406e1d586bc2fe1856b
                                                                              • Instruction ID: a40a5f7e5cb69b51604b0ae825ac859bea27da7efb39470b7bf7d2b9585f0f2e
                                                                              • Opcode Fuzzy Hash: 7eb8201a54a3b557ebefa156c6f5fe454cc81c43e7159406e1d586bc2fe1856b
                                                                              • Instruction Fuzzy Hash: AAA1F470D00608CFEB14DFA9D988B9DBBB1FF89314F209269E409BB292DB745985CF54
                                                                              Function 00E09D87 Relevance: .2, Instructions: 202COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dd2388c6e0f1d20b99d3fa3c385d5c0e0cb00372533d56fb6e927c8666e767e1
                                                                              • Instruction ID: ac3990117e11609048cc692baa1f52ae4734f84251bec48634fd7186103958ae
                                                                              • Opcode Fuzzy Hash: dd2388c6e0f1d20b99d3fa3c385d5c0e0cb00372533d56fb6e927c8666e767e1
                                                                              • Instruction Fuzzy Hash: 4591D070D00608CFEB14DFA8C988B9DBBB1FF49314F209259E409BB292DB759985CF14
                                                                              Function 00E0946F Relevance: .1, Instructions: 99COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 20b222b45297f27792e5fcc1ff77a4a804c17c68e6aea8dfc3bbaf6c833835b7
                                                                              • Instruction ID: a5d5d626d551cbe9ea22d97a3368fe520d25e0a11f3101d2d70344c5def8d1bf
                                                                              • Opcode Fuzzy Hash: 20b222b45297f27792e5fcc1ff77a4a804c17c68e6aea8dfc3bbaf6c833835b7
                                                                              • Instruction Fuzzy Hash: FF410474D00248CBEB18CFA6D84469DBBF2AF89300F24D02AD415BB395EB384946CF10
                                                                              Function 00E0AF78 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID: 0-3916222277
                                                                              • Opcode ID: 17fcd3d824785fd7a24cb9e94a8f85b18baca9a5289906d9c879a1779c78243f
                                                                              • Instruction ID: e0a09f6a1690109335fcfe39c3421baba3617e8d0d1071acab265a0c0fcd6660
                                                                              • Opcode Fuzzy Hash: 17fcd3d824785fd7a24cb9e94a8f85b18baca9a5289906d9c879a1779c78243f
                                                                              • Instruction Fuzzy Hash: 9D71D634B04204DBDF246F78945926E7B96FF84364F248629F926E73D0CF358D8687A1
                                                                              Function 00E0AF73 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID: 0-3916222277
                                                                              • Opcode ID: 41d4306362bb4df686ce90251f66a5b6d6ee965b513e405bf4835ef328a81b0b
                                                                              • Instruction ID: 1d9a66f9a12999190f4a7651d1a672a40e57e7baeb91978803a2705e6eb1f4d9
                                                                              • Opcode Fuzzy Hash: 41d4306362bb4df686ce90251f66a5b6d6ee965b513e405bf4835ef328a81b0b
                                                                              • Instruction Fuzzy Hash: 6A51C234B04204CBDB186F78985926E7BA6FFC8364F248529F526E73D0DF398D4687A1
                                                                              Function 00E0B500 Relevance: .4, Instructions: 390COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: aac4237f2f1c4eb8bc0d92f39791046b81a97f562e2b64ae55339ada06cb3f10
                                                                              • Instruction ID: 7a0bdbc3eb6d7a3b0d0e83c06d1837cde05eccba67f538847d16c9395cafe1aa
                                                                              • Opcode Fuzzy Hash: aac4237f2f1c4eb8bc0d92f39791046b81a97f562e2b64ae55339ada06cb3f10
                                                                              • Instruction Fuzzy Hash: 24D11971B042048FDB14DB68C895AAD7BB6FF89320F285165E505EB3E1CB35DC86CB61
                                                                              Function 00E02B29 Relevance: .3, Instructions: 276COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 59df4b7c85da9789cdcda30cb826a8148cfff435ee19c68f1f129dbcac2702db
                                                                              • Instruction ID: b00dd7e3766966f539236ae06aa0a4b70a5e409eefc1a8d4f31db676efbdf583
                                                                              • Opcode Fuzzy Hash: 59df4b7c85da9789cdcda30cb826a8148cfff435ee19c68f1f129dbcac2702db
                                                                              • Instruction Fuzzy Hash: 2B81D32964420ACFEF38092A44EC3D9B7E19AF931A760345FEBC2B61C5D5904CC746D7
                                                                              Function 00E0BF80 Relevance: .2, Instructions: 223COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac9a7a01ba25c30b60e2fd863729c4946e64f3f6ca474b51205b8c1d1a3f1e5a
                                                                              • Instruction ID: 66a873224639a28992f2b95286ce33e16439c1e18c4d4d07d5336543f32865a2
                                                                              • Opcode Fuzzy Hash: ac9a7a01ba25c30b60e2fd863729c4946e64f3f6ca474b51205b8c1d1a3f1e5a
                                                                              • Instruction Fuzzy Hash: F961D476B002059FC714CBB8D844AAEBBF5EBC8324B24962AE559E7380D731DC41C7A0
                                                                              Function 00E00B23 Relevance: .2, Instructions: 205COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a40c56d5b45bb9d94a9872cf844a85746e0c004d0bf6ee23e16418d00ca29d66
                                                                              • Instruction ID: 73a5f75e66ba2c4dfb2aad149d88eb6bf1c71cd685089ccdfb5354a7df22b8ed
                                                                              • Opcode Fuzzy Hash: a40c56d5b45bb9d94a9872cf844a85746e0c004d0bf6ee23e16418d00ca29d66
                                                                              • Instruction Fuzzy Hash: 88A1FF78A0424ACFCF05EFB8E895A9DBBB1FF48309B104529D505AB369DB706D46CF90
                                                                              Function 00E00B30 Relevance: .2, Instructions: 200COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cbffc72520fb35d78d572825d556db1c957d73ebb4b84adc2edc795cde652311
                                                                              • Instruction ID: 9e3ef3568c662cdb208707fcfbac69547b4753dfca18862512ef69b68120e73f
                                                                              • Opcode Fuzzy Hash: cbffc72520fb35d78d572825d556db1c957d73ebb4b84adc2edc795cde652311
                                                                              • Instruction Fuzzy Hash: B7A1CF78A0420ACFCF05EFB8E885A9DBBB1FF48709B105529D505AB369DB706D45CF90
                                                                              Function 00E0BC28 Relevance: .1, Instructions: 146COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dd7284aa1dbd5f0a512dbfc966ddc7b2cb222dd6b92b33d98fcbc56538c5d491
                                                                              • Instruction ID: bbfafd2e61143af7e1e11df94008a4d0230946d932f26db3de25b4485e674448
                                                                              • Opcode Fuzzy Hash: dd7284aa1dbd5f0a512dbfc966ddc7b2cb222dd6b92b33d98fcbc56538c5d491
                                                                              • Instruction Fuzzy Hash: B141A235B042489FDB04ABB8D8566AE7FBAFF89340F144479F505DB291DE349D42C760
                                                                              Function 00E03F78 Relevance: .1, Instructions: 126COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f03aeda5eb97eb2138223f358bd316a6ad3007be14abfb9f5c3fd402c8978cf0
                                                                              • Instruction ID: 04084a825f9a754d31f0e248587ae99e04af033076aeb12c162a31dfb7d37ea9
                                                                              • Opcode Fuzzy Hash: f03aeda5eb97eb2138223f358bd316a6ad3007be14abfb9f5c3fd402c8978cf0
                                                                              • Instruction Fuzzy Hash: A751D4B4E00209DFDB44DFA9D58499DBBF2BF89310F209429E915BB3A4DB309986CF51
                                                                              Function 00E03168 Relevance: .1, Instructions: 109COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 78d0a4b1c48ac865875710cb4d3f5afa88ccff4cb4d0069b81e577439d1e9f46
                                                                              • Instruction ID: 42b2d0820c796db458ea883ebbbdae7b86e5a14eb7f7d1d71ee29ca3051f2017
                                                                              • Opcode Fuzzy Hash: 78d0a4b1c48ac865875710cb4d3f5afa88ccff4cb4d0069b81e577439d1e9f46
                                                                              • Instruction Fuzzy Hash: 0D41C274E05208CFCB48DFAAD88499DBBF2BF89304F249529E805BB364DB359945CF14
                                                                              Function 00E09249 Relevance: .1, Instructions: 107COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e56500ceb1fdd12b79fb5225f31e232c55285cab7147f9d0c4a8fc57c5aedc72
                                                                              • Instruction ID: a7eb32c728d3cd734163e059a05561777681c96add06d260b1a0f2ee86034b4c
                                                                              • Opcode Fuzzy Hash: e56500ceb1fdd12b79fb5225f31e232c55285cab7147f9d0c4a8fc57c5aedc72
                                                                              • Instruction Fuzzy Hash: 1B31BC7003A64A8FC3013B61A5AE17EBFB8FB4F31B7056C42F10AC0555AF384586CB60
                                                                              Function 00E0B869 Relevance: .1, Instructions: 101COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: bef6700593347b246481d5ab93046372d5e85e3aa2945d15a00022b85bc472c4
                                                                              • Instruction ID: 49036c0a535126e8b054a01d3cfa14e170e2da8810ca959fcf867d2e33858970
                                                                              • Opcode Fuzzy Hash: bef6700593347b246481d5ab93046372d5e85e3aa2945d15a00022b85bc472c4
                                                                              • Instruction Fuzzy Hash: 16311B35B001098FCB05DFA8C485EDDBBB2FF88324F555154E501AB3A1CB71EC868BA0
                                                                              Function 00E0B89D Relevance: .1, Instructions: 100COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4cd48d036968839655b640ef2ba4c6a740ab9481af10db6b29b5c60388f849bb
                                                                              • Instruction ID: 197b6792958bc957a1b10b593c76707993982c88bc5b6b239ad2d05acec8048b
                                                                              • Opcode Fuzzy Hash: 4cd48d036968839655b640ef2ba4c6a740ab9481af10db6b29b5c60388f849bb
                                                                              • Instruction Fuzzy Hash: 07312A35B001098FCB05DFA8C481EDDBBB2FF88324F555154E601AB3A1CB71EC868BA0
                                                                              Function 00E0BDE8 Relevance: .1, Instructions: 88COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a6c5938da650902a022616425642c2e236a5b983d5df53282528c14af43131ab
                                                                              • Instruction ID: 3aeeb0a68382f225cb56d78351cb280830bb68d456f029e090786771da7c6431
                                                                              • Opcode Fuzzy Hash: a6c5938da650902a022616425642c2e236a5b983d5df53282528c14af43131ab
                                                                              • Instruction Fuzzy Hash: EA31A235704208DFC704DF79C855AAE7BB6FF89300B248069E6059B3A5CF359D46CB90
                                                                              Function 00E018C8 Relevance: .1, Instructions: 77COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1f29176dafff9e69d860d07916f366b18ae2be58a692e32ecd0278c0d215b620
                                                                              • Instruction ID: 764c7e4888629d2aed3dd6a27814477dd1c68ebaed6984b9ef92c174ddd53ed6
                                                                              • Opcode Fuzzy Hash: 1f29176dafff9e69d860d07916f366b18ae2be58a692e32ecd0278c0d215b620
                                                                              • Instruction Fuzzy Hash: AE21C171A0024A9FCB14DF24C8509AE77A5EBD9764F50C459E94AAF380DA34EE85CB90
                                                                              Function 00D7D030 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3424734935.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_d7d000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 309daadb49bc21b2b55ed34a59e070bec2ec1a4ba2a3965c55387518f632d0c4
                                                                              • Instruction ID: 7622421917fea48b5e8e24f584199561b7c222fb1b417cd8f41f4112398fbf62
                                                                              • Opcode Fuzzy Hash: 309daadb49bc21b2b55ed34a59e070bec2ec1a4ba2a3965c55387518f632d0c4
                                                                              • Instruction Fuzzy Hash: 4321DE71604204EFDB14DF14D980B26BBB6EF84314F38C66DE94E4A292D37AD847CA72
                                                                              Function 00D7D005 Relevance: .1, Instructions: 71COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3424734935.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_d7d000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: dc7a6cc8519ef09384c6524b6d70d9f390cc822db34b44f738dfb6b41058194e
                                                                              • Instruction ID: f2770de6a1b0c2cb48018287593708d70afc66e668b95c3e81d8c7008f029a3f
                                                                              • Opcode Fuzzy Hash: dc7a6cc8519ef09384c6524b6d70d9f390cc822db34b44f738dfb6b41058194e
                                                                              • Instruction Fuzzy Hash: 56215C7150D3C09FCB03CB24D990711BF71AF46214F29C5EBD8898F2A7D23A980ACB62
                                                                              Function 00E00EC8 Relevance: .1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f140b5747c80af4df24f7b3e55094fdeab6eea03defffb92ff13ffd9ca569eae
                                                                              • Instruction ID: 80402312f84ee379a3002c647b64cca8fe20094392b3fa2af10d62b2e3cc8755
                                                                              • Opcode Fuzzy Hash: f140b5747c80af4df24f7b3e55094fdeab6eea03defffb92ff13ffd9ca569eae
                                                                              • Instruction Fuzzy Hash: 04215170A04209DFDB05EFB9C4407AEB7B2EF86304F10C5AA9414AB395DB749985CF61
                                                                              Function 00E017B8 Relevance: .1, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9254feb504cb2f3abc0eb19f7b842f80a2acb972de8c97660b13140c255cb733
                                                                              • Instruction ID: 27973809ca130c65a90e98ba9c5ba0c2a6504d8c611a50e647ab937c3017c59d
                                                                              • Opcode Fuzzy Hash: 9254feb504cb2f3abc0eb19f7b842f80a2acb972de8c97660b13140c255cb733
                                                                              • Instruction Fuzzy Hash: CA212574D0534A8FCB45DFB8C8845EEBFB0BF0A300F1455AAD445BB251EB304A99CBA1
                                                                              Function 00E0BB48 Relevance: .1, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e7caa31b0587ad9fb51c268bbd8cedc5fade39bfcc619f5868ffc24d1c506b66
                                                                              • Instruction ID: d5b12d31f6fb50a2e2755464754a1d0b3ab82a49d90a91556bbc587d25bedc94
                                                                              • Opcode Fuzzy Hash: e7caa31b0587ad9fb51c268bbd8cedc5fade39bfcc619f5868ffc24d1c506b66
                                                                              • Instruction Fuzzy Hash: 36115E76700204CFD714DB69E988E5AB7E6FF98725B218079E14ACB3A4CB71EC44CB50
                                                                              Function 00E04850 Relevance: .1, Instructions: 54COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 0ae9ae6684bef7626c7630c9b41b27ed73dbe201c81b595597c18959257b53ec
                                                                              • Instruction ID: 235d445c6ffb9ae5442b02b2068cc2264bd0eb6b398deb501413f9dfcba5186a
                                                                              • Opcode Fuzzy Hash: 0ae9ae6684bef7626c7630c9b41b27ed73dbe201c81b595597c18959257b53ec
                                                                              • Instruction Fuzzy Hash: BB01F1BAF013454FD718ABB9894853B67E7AF88228324883ADA05C73D4EF30CC058790
                                                                              Function 00E04860 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6b88486df998ea83cdea7e195ab024a8b79e146b05ffcd80cbc59c35f76d4697
                                                                              • Instruction ID: a861ad2b23813b79e57840cfebf1a6b7bd14c277e0ad35062e07c23ffc294cb3
                                                                              • Opcode Fuzzy Hash: 6b88486df998ea83cdea7e195ab024a8b79e146b05ffcd80cbc59c35f76d4697
                                                                              • Instruction Fuzzy Hash: F001A2B5B012554BD718AAB9494852F76EBAFC4628710883DEA05C7394FF70CC054BA1
                                                                              Function 00E093B0 Relevance: .0, Instructions: 49COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1d281823829fce0610d3b8a8f6df7f2ccd65467da0af3c84e2f47c657074e79d
                                                                              • Instruction ID: 5182ed45420aa9dcc005e0406f41a7651baabc8cd9c9f93176cf58a2cbdc249a
                                                                              • Opcode Fuzzy Hash: 1d281823829fce0610d3b8a8f6df7f2ccd65467da0af3c84e2f47c657074e79d
                                                                              • Instruction Fuzzy Hash: 35118F70D0424ACFDB41EFB8C44079EBBB1FF42304F0482A9C154AB396EB344A468B91
                                                                              Function 00E093C0 Relevance: .0, Instructions: 47COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: d7d47971677b0ad4285855faf9bd80343d9dbf414ccf65342217e3c399af88e4
                                                                              • Instruction ID: 20b762d5ecc17d736aa78a673d375be1f7e9024c872a68ec2b548c2bf3d27dea
                                                                              • Opcode Fuzzy Hash: d7d47971677b0ad4285855faf9bd80343d9dbf414ccf65342217e3c399af88e4
                                                                              • Instruction Fuzzy Hash: 0D113970D0020ADFDB40EFB8C581B9EBBF5FF44304F1095A9C158AB39AEB705A468B91
                                                                              Function 00E0A508 Relevance: .0, Instructions: 46COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 4d96fccef924e8e6886f8825cbbdcf65509632c85dd7d6bbd3adf2baf630f8ba
                                                                              • Instruction ID: b1c1c4d259c145a0a15387dcdecb4433273e55a8622062ffe4bdb82bfb21ab25
                                                                              • Opcode Fuzzy Hash: 4d96fccef924e8e6886f8825cbbdcf65509632c85dd7d6bbd3adf2baf630f8ba
                                                                              • Instruction Fuzzy Hash: 7A014C75E1020A9BDB149F69E8495AE7FB9FF88350B004439F91AE3281DB348D11CBA1
                                                                              Function 00E0A4F9 Relevance: .0, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: cbc539ca5e63c01ce982348c9c4ea147fb9d168aa94b589847a606c917912240
                                                                              • Instruction ID: b858d84a5a3d6a55c820cab33a9bdef45025daa6559d607974c559316ed6d3f6
                                                                              • Opcode Fuzzy Hash: cbc539ca5e63c01ce982348c9c4ea147fb9d168aa94b589847a606c917912240
                                                                              • Instruction Fuzzy Hash: E0015EB2E0421A9FCB14DF6898589EE7FB5FB88310B11413AF955A3281DB304D12CB92
                                                                              Function 00E0BB46 Relevance: .0, Instructions: 44COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: b5bf373cb0df76dbcb42d9831881d4e2b2ab58ae1e8a2b06480b2ffa5cf95ef3
                                                                              • Instruction ID: bc262791ad7baec85a4d3640e34f9c06402cd336a6c1fe7557215623a1118fc9
                                                                              • Opcode Fuzzy Hash: b5bf373cb0df76dbcb42d9831881d4e2b2ab58ae1e8a2b06480b2ffa5cf95ef3
                                                                              • Instruction Fuzzy Hash: 8D012876700200CFD724DB69D998B6AB3E6FF98725F15846DE14A9B3A4CB71EC84CB10
                                                                              Function 00E0BEF8 Relevance: .0, Instructions: 42COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 1b69ef014e439df60faefa8c3c20aaed7c69bd4ba5ec615d8bb2ed5ea4d3df63
                                                                              • Instruction ID: d0604e02552fca47eee7a40f329be3d4d90c42e20965bf24f3d327590d71d711
                                                                              • Opcode Fuzzy Hash: 1b69ef014e439df60faefa8c3c20aaed7c69bd4ba5ec615d8bb2ed5ea4d3df63
                                                                              • Instruction Fuzzy Hash: C3F0C83AB142049BCB151A74984926D3BAAEBC9251F144426F506C7381DF39CC479B51
                                                                              Function 00E0C1B0 Relevance: .0, Instructions: 36COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 22b6a0c55fd269246d16dcfb4dc0534eeea8a40a9e1a191631f93efecc1d5c78
                                                                              • Instruction ID: 0b3aa6b9093926b08dbca62b4d13c1d6ad7e0fbde27d1ee6a97e700b1a6bd2fc
                                                                              • Opcode Fuzzy Hash: 22b6a0c55fd269246d16dcfb4dc0534eeea8a40a9e1a191631f93efecc1d5c78
                                                                              • Instruction Fuzzy Hash: FBF0A032B046219BCB19576AE41596EB7EAEFC5731714007AF509EB3A1CF32DC028B90
                                                                              Function 00E046C9 Relevance: .0, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 7fd9438841095091022c61609ac59feceb2dccbe9c46532770aca8a40cc70846
                                                                              • Instruction ID: 9bdd166fe1ca07e9efb2a39242cf00d793b946cff3baf75237c48157aca64fde
                                                                              • Opcode Fuzzy Hash: 7fd9438841095091022c61609ac59feceb2dccbe9c46532770aca8a40cc70846
                                                                              • Instruction Fuzzy Hash: 36F0AC75565B428FE7112B70BCED6AE7B60EB0B3077446D45E00ED1276EBB104858B26
                                                                              Function 00E0B9EA Relevance: .0, Instructions: 33COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ca5e76ecaf9475e938aefa5ca3b6a6ba496fd47d086add9e5095607a7ff73214
                                                                              • Instruction ID: 0e92b5e82a5c0d2084ed5dabe4e9ac5b17ee586e33cf7e66c7904e5f061c2543
                                                                              • Opcode Fuzzy Hash: ca5e76ecaf9475e938aefa5ca3b6a6ba496fd47d086add9e5095607a7ff73214
                                                                              • Instruction Fuzzy Hash: 8CF0B4B6A002089FCB51DFB9D5815DEBFF6FB4C350B54452AE209E3201E7349A468BD0
                                                                              Function 00E0B9F8 Relevance: .0, Instructions: 31COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 29b621884009a915d2a6be7434c68b98b8e86d76e33c39679337ba585daacfde
                                                                              • Instruction ID: 0a29cee9f8f18ea642d2cb767a48e2f2894d1dff7adf753b0ded8637d012d35b
                                                                              • Opcode Fuzzy Hash: 29b621884009a915d2a6be7434c68b98b8e86d76e33c39679337ba585daacfde
                                                                              • Instruction Fuzzy Hash: 4CF08272A002089F8B50DFAD984099FFBF9FB88350B50453AD609E3201E770AA559BE1
                                                                              Function 00E046D8 Relevance: .0, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 50b0fe45446682c78b72dcdd9935f712892f93ea5e9892c7f1cebc99e07f935d
                                                                              • Instruction ID: ef85eb74d99d884ef8e41f6da38eeeebbb324e1fb4219e46beede9ee8015f787
                                                                              • Opcode Fuzzy Hash: 50b0fe45446682c78b72dcdd9935f712892f93ea5e9892c7f1cebc99e07f935d
                                                                              • Instruction Fuzzy Hash: BEE099B4421B03CBE7103F60B9AC23E7AA5EB0B317B803C01A00EC1279AFB014D48A26
                                                                              Function 00E01877 Relevance: .0, Instructions: 25COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 37517656fffda0a2572abb6c6d8ca36ad318adc51ab6aed48dc0d9a2888c0bcf
                                                                              • Instruction ID: f1579ba0f19bfd48f9b5df4be42a734df56ab4817c166eca254169fd55aa65ca
                                                                              • Opcode Fuzzy Hash: 37517656fffda0a2572abb6c6d8ca36ad318adc51ab6aed48dc0d9a2888c0bcf
                                                                              • Instruction Fuzzy Hash: AAE09A319112AB8FC702EFA0DC444EEFB34EE82250B4546A3D010BF040EB30669ECB60
                                                                              Function 00E01888 Relevance: .0, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: ac0e541a33b0e23f3888f4b3b9c1d1ee645cd4ebd030111646b5b6733cc24c7c
                                                                              • Instruction ID: 147ee78828227962921ec1eba055844c63657c25adc41008e53666b5b6430e1e
                                                                              • Opcode Fuzzy Hash: ac0e541a33b0e23f3888f4b3b9c1d1ee645cd4ebd030111646b5b6733cc24c7c
                                                                              • Instruction Fuzzy Hash: C1D01732E2126B968B00AAA5EC048EEB738EE96661B948626D52437140EB70665986A1
                                                                              Function 00E04830 Relevance: .0, Instructions: 8COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000005.00000002.3425122298.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_5_2_e00000_HUBED342024.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 9b78b630be498b238b6db8d4e3a6125eda2d56cb166166b015c07d9706aeb42e
                                                                              • Instruction ID: e43fb81ca86a31caaaaf7d694de16ede69084fb42e314ae77adb861cf4703b93
                                                                              • Opcode Fuzzy Hash: 9b78b630be498b238b6db8d4e3a6125eda2d56cb166166b015c07d9706aeb42e
                                                                              • Instruction Fuzzy Hash: E8C04CA941D7C49EDB0B5F205565059BB70AE53305B2518EED082854A3E6254215C30B