Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3WQwD4Z4L7.exe

Overview

General Information

Sample name:3WQwD4Z4L7.exe
renamed because original name is a hash value
Original sample name:87c02aa1355d71ca57149b67e2b0a05f1e27785fe72041c81c3dbe9ece73a88b.exe
Analysis ID:1588112
MD5:d3b756ea02a2cf77ec1edc7f33f5eadd
SHA1:7ccff2288c5cf3575c08f2f5568a90eab909c868
SHA256:87c02aa1355d71ca57149b67e2b0a05f1e27785fe72041c81c3dbe9ece73a88b
Tags:AsyncRATexeuser-adrian__luca
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected XWorm
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3WQwD4Z4L7.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\3WQwD4Z4L7.exe" MD5: D3B756EA02A2CF77EC1EDC7F33F5EADD)
    • 3WQwD4Z4L7.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\3WQwD4Z4L7.exe" MD5: D3B756EA02A2CF77EC1EDC7F33F5EADD)
      • WerFault.exe (PID: 2024 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 2056 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["154.39.0.150"], "Port": 5200, "Aes key": "1987", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0xf3b9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0xf456:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0xf56b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0xef4b:$cnc4: POST / HTTP/1.1
    00000002.00000002.4184269379.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000002.00000002.4184269379.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x87d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x886e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x8983:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x8363:$cnc4: POST / HTTP/1.1
      00000000.00000002.1729244829.0000000003FF9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 6 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.3WQwD4Z4L7.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          2.2.3WQwD4Z4L7.exe.400000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x6fd5:$str01: $VB$Local_Port
          • 0x6fc6:$str02: $VB$Local_Host
          • 0x728a:$str03: get_Jpeg
          • 0x6cb3:$str04: get_ServicePack
          • 0x7ff3:$str05: Select * from AntivirusProduct
          • 0x81ef:$str06: PCRestart
          • 0x8203:$str07: shutdown.exe /f /r /t 0
          • 0x82b5:$str08: StopReport
          • 0x828b:$str09: StopDDos
          • 0x8381:$str10: sendPlugin
          • 0x851f:$str12: -ExecutionPolicy Bypass -File "
          • 0x8648:$str13: Content-length: 5235
          2.2.3WQwD4Z4L7.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x89d1:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x8a6e:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x8b83:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x8563:$cnc4: POST / HTTP/1.1
          0.2.3WQwD4Z4L7.exe.4addb28.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.2.3WQwD4Z4L7.exe.4addb28.1.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x51d5:$str01: $VB$Local_Port
            • 0x51c6:$str02: $VB$Local_Host
            • 0x548a:$str03: get_Jpeg
            • 0x4eb3:$str04: get_ServicePack
            • 0x61f3:$str05: Select * from AntivirusProduct
            • 0x63ef:$str06: PCRestart
            • 0x6403:$str07: shutdown.exe /f /r /t 0
            • 0x64b5:$str08: StopReport
            • 0x648b:$str09: StopDDos
            • 0x6581:$str10: sendPlugin
            • 0x671f:$str12: -ExecutionPolicy Bypass -File "
            • 0x6848:$str13: Content-length: 5235
            Click to see the 16 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\3WQwD4Z4L7.exe, ProcessId: 7624, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnk

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 3WQwD4Z4L7.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Notepab.exeAvira: detection malicious, Label: HEUR/AGEN.1305388
            Found malware configuration
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["154.39.0.150"], "Port": 5200, "Aes key": "1987", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Notepab.exeReversingLabs: Detection: 71%
            Multi AV Scanner detection for submitted file
            Source: 3WQwD4Z4L7.exeVirustotal: Detection: 79%Perma Link
            Source: 3WQwD4Z4L7.exeReversingLabs: Detection: 71%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Notepab.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: 3WQwD4Z4L7.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString decryptor: 154.39.0.150
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString decryptor: 5200
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString decryptor: 1987
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.6
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString decryptor: %AppData%
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString decryptor: Notepab.exe
            Source: 3WQwD4Z4L7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 3WQwD4Z4L7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: mscorlib.pdbe\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.0000000001427000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D8B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\Desktop\3WQwD4Z4L7.PDB1 source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.00000000014DD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.ni.pdbRSDS source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: n.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.0000000001427000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Configuration.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Core.pdbMZ@ source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Xml.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb1? source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.0000000001427000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: %%.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: n0C:\Windows\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D7F000.00000004.00000020.00020000.00000000.sdmp, WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D72000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdbr source: 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D8B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Management.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: mscorlib.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Management.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdb| source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D8B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: .pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: Accessibility.pdbPt source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER2C66.tmp.dmp.9.dr
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 4x nop then jmp 07095605h0_2_0709588E

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 154.39.0.150
            Source: global trafficTCP traffic: 192.168.2.4:49735 -> 154.39.0.150:5200
            Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: 3WQwD4Z4L7.exe, 00000002.00000002.4186283186.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731270625.0000000005929000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.3WQwD4Z4L7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 2.2.3WQwD4Z4L7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.3WQwD4Z4L7.exe.4addb28.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.3WQwD4Z4L7.exe.4addb28.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.3WQwD4Z4L7.exe.4addb28.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.3WQwD4Z4L7.exe.4addb28.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.3WQwD4Z4L7.exe.4024448.3.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.3WQwD4Z4L7.exe.4024448.3.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.3WQwD4Z4L7.exe.4024448.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.3WQwD4Z4L7.exe.4024448.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.3WQwD4Z4L7.exe.4a77108.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.3WQwD4Z4L7.exe.4a77108.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.3WQwD4Z4L7.exe.4a106e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.3WQwD4Z4L7.exe.4a106e8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000002.00000002.4184269379.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1729244829.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1729244829.0000000004864000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_02E8D4040_2_02E8D404
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_070977800_2_07097780
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_070915600_2_07091560
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_070911280_2_07091128
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_070931A00_2_070931A0
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_070931B00_2_070931B0
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07093B500_2_07093B50
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07093B600_2_07093B60
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_070919A80_2_070919A8
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076096C80_2_076096C8
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076080A00_2_076080A0
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07601E7A0_2_07601E7A
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07602CF80_2_07602CF8
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07600B900_2_07600B90
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076096B80_2_076096B8
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076086880_2_07608688
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076086980_2_07608698
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_0760A5600_2_0760A560
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_0760A5700_2_0760A570
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076055780_2_07605578
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076055880_2_07605588
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076014400_2_07601440
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076083480_2_07608348
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076083580_2_07608358
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076053A80_2_076053A8
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076053980_2_07605398
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076051080_2_07605108
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076051180_2_07605118
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076000400_2_07600040
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076000220_2_07600022
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076080900_2_07608090
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07604F000_2_07604F00
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07604F100_2_07604F10
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07609FC80_2_07609FC8
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07609FBA0_2_07609FBA
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07608E400_2_07608E40
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07603D080_2_07603D08
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07603CF80_2_07603CF8
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07602CAD0_2_07602CAD
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07602C960_2_07602C96
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07600B760_2_07600B76
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07600B3D0_2_07600B3D
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07603AD80_2_07603AD8
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07608A800_2_07608A80
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_07608A900_2_07608A90
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_076018D90_2_076018D9
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 2_2_012A45382_2_012A4538
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 2_2_012A13602_2_012A1360
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 2_2_012A3F402_2_012A3F40
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 2_2_012A1A0B2_2_012A1A0B
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 2056
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1728156873.00000000013AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000000.00000000.1710384263.0000000000C52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerkZi.exe, vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1731661738.00000000070B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1729244829.0000000003FF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1729244829.0000000003FF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1729244829.0000000004864000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1729244829.0000000004864000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000000.00000002.1733673608.000000000A8E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000002.00000002.4184269379.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000002.00000002.4189244459.0000000004011000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerkZi.exe, vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exe, 00000002.00000002.4190512013.0000000005E49000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exeBinary or memory string: OriginalFilenamerkZi.exe, vs 3WQwD4Z4L7.exe
            Source: 3WQwD4Z4L7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 2.2.3WQwD4Z4L7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 2.2.3WQwD4Z4L7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.3WQwD4Z4L7.exe.4addb28.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.3WQwD4Z4L7.exe.4addb28.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.3WQwD4Z4L7.exe.4addb28.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.3WQwD4Z4L7.exe.4addb28.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.3WQwD4Z4L7.exe.4024448.3.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.3WQwD4Z4L7.exe.4024448.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.3WQwD4Z4L7.exe.4024448.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.3WQwD4Z4L7.exe.4024448.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.3WQwD4Z4L7.exe.4a77108.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.3WQwD4Z4L7.exe.4a77108.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.3WQwD4Z4L7.exe.4a106e8.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.3WQwD4Z4L7.exe.4a106e8.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000002.00000002.4184269379.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1729244829.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1729244829.0000000004864000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 3WQwD4Z4L7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Notepab.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@4/7@0/1
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3WQwD4Z4L7.exe.logJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMutant created: NULL
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMutant created: \Sessions\1\BaseNamedObjects\Tta9Wy8kD7xwtsRU
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7624
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile created: C:\Users\user\AppData\Local\Temp\Log.tmpJump to behavior
            Source: 3WQwD4Z4L7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 3WQwD4Z4L7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 3WQwD4Z4L7.exeVirustotal: Detection: 79%
            Source: 3WQwD4Z4L7.exeReversingLabs: Detection: 71%
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile read: C:\Users\user\Desktop\3WQwD4Z4L7.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\3WQwD4Z4L7.exe "C:\Users\user\Desktop\3WQwD4Z4L7.exe"
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess created: C:\Users\user\Desktop\3WQwD4Z4L7.exe "C:\Users\user\Desktop\3WQwD4Z4L7.exe"
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 2056
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess created: C:\Users\user\Desktop\3WQwD4Z4L7.exe "C:\Users\user\Desktop\3WQwD4Z4L7.exe"Jump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: iconcodecservice.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Notepab.lnk.2.drLNK file: ..\..\..\..\..\Notepab.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: 3WQwD4Z4L7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 3WQwD4Z4L7.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: mscorlib.pdbe\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Server\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.0000000001427000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D8B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Users\user\Desktop\3WQwD4Z4L7.PDB1 source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.00000000014DD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.ni.pdbRSDS source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: n.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.0000000001427000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Configuration.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Core.pdbMZ@ source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Xml.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb1? source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.0000000001427000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: %%.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Windows.Forms.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: n0C:\Windows\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D7F000.00000004.00000020.00020000.00000000.sdmp, WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D72000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdbr source: 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D8B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Drawing.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Management.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: mscorlib.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Management.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: nC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Xml.pdb| source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D8B000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: .pdb source: 3WQwD4Z4L7.exe, 00000002.00000002.4192333072.000000000630B000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: Accessibility.pdbPt source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.ni.pdb source: WER2C66.tmp.dmp.9.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER2C66.tmp.dmp.9.dr
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_02E8F2B0 push ss; retf 0_2_02E8F2F6
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_02E8B5C8 push ebx; retf 0_2_02E8B5DE
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeCode function: 0_2_02E8B568 push esp; retf 0_2_02E8B586
            Source: 3WQwD4Z4L7.exeStatic PE information: section name: .text entropy: 7.622833498923812
            Source: Notepab.exe.2.drStatic PE information: section name: .text entropy: 7.622833498923812
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile created: C:\Users\user\AppData\Roaming\Notepab.exeJump to dropped file
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnkJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnkJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool users
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (2112).png
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: 3WQwD4Z4L7.exe PID: 7456, type: MEMORYSTR
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: 2FF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: 4FF0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: 8130000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: 7750000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: 9130000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: A130000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: A950000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: B950000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: C950000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: 12A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: 3010000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: 1300000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWindow / User API: threadDelayed 3868Jump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWindow / User API: threadDelayed 5941Jump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exe TID: 7476Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exe TID: 7776Thread sleep time: -24903104499507879s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.00000000014DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeMemory written: C:\Users\user\Desktop\3WQwD4Z4L7.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeProcess created: C:\Users\user\Desktop\3WQwD4Z4L7.exe "C:\Users\user\Desktop\3WQwD4Z4L7.exe"Jump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Users\user\Desktop\3WQwD4Z4L7.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Users\user\Desktop\3WQwD4Z4L7.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006DB2000.00000004.00000020.00020000.00000000.sdmp, 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.00000000014CF000.00000004.00000020.00020000.00000000.sdmp, 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.0000000001427000.00000004.00000020.00020000.00000000.sdmp, 3WQwD4Z4L7.exe, 00000002.00000002.4193262947.0000000006D8B000.00000004.00000020.00020000.00000000.sdmp, 3WQwD4Z4L7.exe, 00000002.00000002.4185441215.00000000014DD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\3WQwD4Z4L7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 2.2.3WQwD4Z4L7.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4addb28.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4addb28.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4024448.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4024448.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4a77108.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4a106e8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4184269379.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1729244829.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1729244829.0000000004864000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 3WQwD4Z4L7.exe PID: 7456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 3WQwD4Z4L7.exe PID: 7624, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 2.2.3WQwD4Z4L7.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4addb28.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4addb28.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4024448.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4024448.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4a77108.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.3WQwD4Z4L7.exe.4a106e8.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4184269379.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1729244829.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1729244829.0000000004864000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 3WQwD4Z4L7.exe PID: 7456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 3WQwD4Z4L7.exe PID: 7624, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		2
            Registry Run Keys / Startup Folder            		111
            Process Injection            		11
            Masquerading            		OS Credential Dumping231
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		2
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol1
            Clipboard Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		141
            Virtualization/Sandbox Evasion            		Security Account Manager141
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Software Packing            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            3WQwD4Z4L7.exe79%VirustotalBrowse
            3WQwD4Z4L7.exe71%ReversingLabsByteCode-MSIL.Trojan.Nekark
            3WQwD4Z4L7.exe100%AviraHEUR/AGEN.1305388
            3WQwD4Z4L7.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\Notepab.exe100%AviraHEUR/AGEN.1305388
            C:\Users\user\AppData\Roaming\Notepab.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Notepab.exe71%ReversingLabsByteCode-MSIL.Trojan.Nekark

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            154.39.0.1500%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            154.39.0.150true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.03WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.com3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designersG3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bThe3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers?3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.tiro.com3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.kr3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.carterandcone.coml3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sajatypeworks.com3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.typography.netD3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/cabarga.htmlN3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cThe3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/staff/dennis.htm3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cn3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/frere-user.html3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.galapagosdesign.com/DPlease3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers83WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.ascendercorp.com/typedesigners.html3WQwD4Z4L7.exe, 00000000.00000002.1731270625.0000000005929000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.fonts.com3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sandoll.co.kr3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.urwpp.deDPlease3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.zhongyicts.com.cn3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name3WQwD4Z4L7.exe, 00000002.00000002.4186283186.0000000003011000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.sakkal.com3WQwD4Z4L7.exe, 00000000.00000002.1731768877.0000000007102000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  154.39.0.150
                                                                  		unknownUnited States
                                                                  		174COGENT-174UStrue

                                                                  General Information

                                                                  Joe Sandbox version:42.0.0 Malachite
                                                                  Analysis ID:1588112
                                                                  Start date and time:2025-01-10 21:30:42 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 7m 34s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:11
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:3WQwD4Z4L7.exe
                                                                  renamed because original name is a hash value
                                                                  Original Sample Name:87c02aa1355d71ca57149b67e2b0a05f1e27785fe72041c81c3dbe9ece73a88b.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.evad.winEXE@4/7@0/1
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 96%
                                                                  • Number of executed functions: 56
                                                                  • Number of non-executed functions: 34
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                  • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.109.210.53, 13.107.246.45, 40.126.32.140
                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  15:31:38API Interceptor7657961x Sleep call for process: 3WQwD4Z4L7.exe modified
                                                                  20:31:45AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnk

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  154.39.0.150pKXxiawkTj.exeGet hashmaliciousXWormBrowse
                                                                    Receipt-#202431029B.exeGet hashmaliciousXWormBrowse

                                                                      Domains

                                                                      No context

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      COGENT-174USEIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                                      • 206.238.89.119
                                                                      wWXR5js3k2.exeGet hashmaliciousFormBookBrowse
                                                                      • 38.47.233.21
                                                                      psibx9rXra.exeGet hashmaliciousFormBookBrowse
                                                                      • 154.23.178.183
                                                                      OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                                      • 38.181.21.178
                                                                      pKXxiawkTj.exeGet hashmaliciousXWormBrowse
                                                                      • 154.39.0.150
                                                                      frosty.arm.elfGet hashmaliciousMiraiBrowse
                                                                      • 154.62.137.46
                                                                      frosty.spc.elfGet hashmaliciousMiraiBrowse
                                                                      • 38.148.77.12
                                                                      frosty.sh4.elfGet hashmaliciousMiraiBrowse
                                                                      • 23.154.10.225
                                                                      cNDddMAF5u.exeGet hashmaliciousFormBookBrowse
                                                                      • 154.23.178.231
                                                                      zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                                      • 38.181.21.54

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER2C66.tmp.dmp

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:Mini DuMP crash report, 15 streams, Fri Jan 10 20:35:27 2025, 0x1205a4 type
                                                                      Category:dropped
                                                                      Size (bytes):382554
                                                                      Entropy (8bit):3.6059494461110906
                                                                      Encrypted:false
                                                                      SSDEEP:3072:I4gMMrb7pFxwyjUgSYpY4uEqhly+ULTgLE+WDP4iOBDaJTEtqP0:I4Eg4pY4qy+KTgwN4VqP
                                                                      MD5:E2A6251A9FBB9D254FE7714D15E8F800
                                                                      SHA1:FC62E3A05A469D94C159E4126AE917893867FAB5
                                                                      SHA-256:E8E0AB745D8A5E7E1E026A32D06BDA803A088353955426EA2EA0D17CAC94111A
                                                                      SHA-512:A31DDB88ECFEEB0D94E65A63419B7D837460E70059561A5AEC4EB33CF7D25AD0FBC7E3FA8AE401AA2167E297CC5AE683558947A491BEB92E9E8F77F7392EB9B6
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:MDMP..a..... ..........g.........................$..........$...`/.......0...t..........`.......8...........T............P............../..........p1..............................................................................eJ.......2......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER30FB.tmp.WERInternalMetadata.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):6394
                                                                      Entropy (8bit):3.725134507965786
                                                                      Encrypted:false
                                                                      SSDEEP:96:RSIU6o7wVetbJJA6HI80YZDQE/jjkr5aM4Ub89blbrsfSOvjm:R6l7wVeJJ+6QYZD4prb89bxrsfSO7m
                                                                      MD5:D7E5EA716ADFF00FA6511008478C5E13
                                                                      SHA1:67B9BD598AF0713704973B226A7C75BECF6D7B86
                                                                      SHA-256:E7A30859DC97A9EC7BCD53D6C2D7078EC30FFD97ECD00FF9AB04C1B149219D43
                                                                      SHA-512:098786CF3A1BFEF05E7B1F10BF849D108E28F40900892CB8524B98EA18A300416D3C313B2E024E91E8CB79222008AE5E14D111760C974AE99E19424445A12B61
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.2.4.<./.P.i.

                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER312B.tmp.xml

                                                                      Download File
                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):4735
                                                                      Entropy (8bit):4.477430615287938
                                                                      Encrypted:false
                                                                      SSDEEP:48:cvIwWl8zsiJg77aI9fcWpW8VY2Ym8M4JxfFe8e+q8vswI/Dzdecd:uIjfwI7lV7VmJBeKDIbzdPd
                                                                      MD5:0AA4EAB65CFEB58577B5A8849C037B73
                                                                      SHA1:7384DC36AABEAC963CC0E06802AA5D043651BC9A
                                                                      SHA-256:A270A7558B9A452F480DC8091C45AFE15F26BB3DCB3C05470EF25C0B539C5D75
                                                                      SHA-512:380D6CD6E7AE9C153A3B07A70DF0A587C0EAA2D1E2E203119645525BC9ECAF2F8D4B5EDA4B51E9B641C6CD64656A21CAC9617ED309AF711941E6FA0D91954F18
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670298" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3WQwD4Z4L7.exe.log

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\3WQwD4Z4L7.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1216
                                                                      Entropy (8bit):5.34331486778365
                                                                      Encrypted:false
                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                      Malicious:true
                                                                      Reputation:high, very likely benign file
                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                      C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\3WQwD4Z4L7.exe
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):29
                                                                      Entropy (8bit):3.598349098128234
                                                                      Encrypted:false
                                                                      SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                      MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                      SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                      SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                      SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                      Malicious:false
                                                                      Reputation:moderate, very likely benign file
                                                                      Preview:....### explorer ###..[WIN]r

                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnk

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\3WQwD4Z4L7.exe
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Jan 10 19:31:42 2025, mtime=Fri Jan 10 19:31:42 2025, atime=Fri Jan 10 19:31:42 2025, length=804352, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):764
                                                                      Entropy (8bit):5.044090283019445
                                                                      Encrypted:false
                                                                      SSDEEP:12:84Dt824GQ/WCbdY//vLsFELGKmNblajAspCrHZ2l+dIQIoBmV:840GRk+oFmGbNBmAspC1C+TBm
                                                                      MD5:4E9F22F31BA18B33513303C976A9C1B6
                                                                      SHA1:953F42A2E1187E417B053B080EEB8BE33906FCBE
                                                                      SHA-256:151BE3C7FC04D39959794B79617AA9E2BA7F58DE8E8FD6BAE5F258E6D6D365E6
                                                                      SHA-512:C534A264153D7A1929ADA9F4B3D93D10E977C9BC78712763CF626D301DE97649D6DA3ED2D28A085E7542361BD9390D7434BD75CDA8526985C74335AA4FF892DE
                                                                      Malicious:false
                                                                      Preview:L..................F.... ....R...c...R...c...R...c...F......................v.:..DG..Yr?.D..U..k0.&...&......vk.v....3....c..5*...c......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^*Z............................%..A.p.p.D.a.t.a...B.V.1.....*Z...Roaming.@......CW.^*Z............................`..R.o.a.m.i.n.g.....b.2..F..*Z.. .Notepab.exe.H......*Z..*Z............................3%..N.o.t.e.p.a.b...e.x.e.......Y...............-.......X.............t......C:\Users\user\AppData\Roaming\Notepab.exe........\.....\.....\.....\.....\.N.o.t.e.p.a.b...e.x.e.`.......X.......405464...........hT..CrF.f4... .P.T..b...,.......hT..CrF.f4... .P.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                      C:\Users\user\AppData\Roaming\Notepab.exe

                                                                      Download File
                                                                      Process:C:\Users\user\Desktop\3WQwD4Z4L7.exe
                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Category:dropped
                                                                      Size (bytes):804352
                                                                      Entropy (8bit):7.408502987627136
                                                                      Encrypted:false
                                                                      SSDEEP:12288:XjlIpHtMPku+l0CPP3wS6K9oCpYh0wCylHTto7HTY6UdtIxN948dAA:XjlIhSPd+p5ftwCyZtuHQSA
                                                                      MD5:D3B756EA02A2CF77EC1EDC7F33F5EADD
                                                                      SHA1:7CCFF2288C5CF3575C08F2F5568A90EAB909C868
                                                                      SHA-256:87C02AA1355D71CA57149B67E2B0A05F1E27785FE72041C81C3DBE9ECE73A88B
                                                                      SHA-512:DBC7391A9F588BC161A9CD2E868E716357C88E5CC387575AA47EEC7523F5C7460D8A85ECC9F4F08A300B5D218CF53158158FCBFE49FF3C201E4FB845480658C5
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Avira, Detection: 100%
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: ReversingLabs, Detection: 71%
                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.Zg..............0.................. ........@.. ....................................@.....................................O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc...............D..............@..B........................H.......d1... .......... R..p............................................0...........(........}.....s....}.....r...p(....}.....~.... ....s....}.....{....o.... ......o......{.....o......{....o.....{....o......{.....{....o.....*f........s....s....(.....*~..{....r...po......{....o.....*.0..}.........{....r9..po......+7...{.....|....o ...}....(!....{....o".....{.....o........+.&..{....rS..po........&..{....rS..po........*...........>P..........>f.........}.....(#.......s....}....

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):7.408502987627136
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                      File name:3WQwD4Z4L7.exe
                                                                      File size:804'352 bytes
                                                                      MD5:d3b756ea02a2cf77ec1edc7f33f5eadd
                                                                      SHA1:7ccff2288c5cf3575c08f2f5568a90eab909c868
                                                                      SHA256:87c02aa1355d71ca57149b67e2b0a05f1e27785fe72041c81c3dbe9ece73a88b
                                                                      SHA512:dbc7391a9f588bc161a9cd2e868e716357c88e5cc387575aa47eec7523f5c7460d8a85ecc9f4f08a300b5d218cf53158158fcbfe49ff3c201e4fb845480658c5
                                                                      SSDEEP:12288:XjlIpHtMPku+l0CPP3wS6K9oCpYh0wCylHTto7HTY6UdtIxN948dAA:XjlIhSPd+p5ftwCyZtuHQSA
                                                                      TLSH:47059ED03B15A710DC6AA9348437DDBB61232A2CAC1878EA3DD97F0B7DA6303551AF47
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.Zg..............0.................. ........@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:2eec8e8cb683b9b1

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x4ad7e2
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x675A8C4A [Thu Dec 12 07:10:02 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xad7900x4f.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x18a00.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000xab7e80xab800e5f99886d840dcfc75965c6d0a86ca02False0.8674095754373178data7.622833498923812IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0xae0000x18a000x18a0058fd92d0203699bfea8703b25af98eccFalse0.14490799492385786data4.280383174499622IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0xc80000xc0x200e2b1294ec970c4b1aa87caeed559df2dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0xae1d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2834 x 2834 px/m0.2649377593360996
                                                                      RT_ICON0xb07800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2834 x 2834 px/m0.3646810506566604
                                                                      RT_ICON0xb18280x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2834 x 2834 px/m0.5549645390070922
                                                                      RT_ICON0xb1c900x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2834 x 2834 px/m0.18115257439773264
                                                                      RT_ICON0xb5eb80x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2834 x 2834 px/m0.0959718443156276
                                                                      RT_GROUP_ICON0xc66e00x4cdata0.7631578947368421
                                                                      RT_GROUP_ICON0xc672c0x14data1.05
                                                                      RT_VERSION0xc67400x2c0data0.4616477272727273

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 10, 2025 21:31:44.011161089 CET497355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:44.016179085 CET520049735154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:44.016287088 CET497355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:44.149319887 CET497355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:44.154155970 CET520049735154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:45.434144974 CET520049735154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:45.434205055 CET497355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:48.041424036 CET497355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:48.042924881 CET497365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:48.046354055 CET520049735154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:48.047763109 CET520049736154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:48.047835112 CET497365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:48.067198992 CET497365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:48.072124004 CET520049736154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:49.453684092 CET520049736154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:49.453772068 CET497365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:51.900774956 CET497365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:51.901616096 CET497375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:51.905673981 CET520049736154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:51.906541109 CET520049737154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:51.906832933 CET497375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:51.924295902 CET497375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:51.929114103 CET520049737154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:53.525479078 CET520049737154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:53.525599957 CET497375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:53.527049065 CET520049737154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:53.529503107 CET497375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:56.041498899 CET497375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:56.042103052 CET497425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:56.046530962 CET520049737154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:56.047003984 CET520049742154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:56.047099113 CET497425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:56.066231012 CET497425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:31:56.071038961 CET520049742154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:57.499826908 CET520049742154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:31:57.499923944 CET497425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:01.103250980 CET497425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:01.105519056 CET497455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:01.108081102 CET520049742154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:01.110342026 CET520049745154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:01.112272978 CET497455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:01.178232908 CET497455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:01.183057070 CET520049745154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:02.547163010 CET520049745154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:02.547323942 CET497455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:05.541444063 CET497455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:05.542520046 CET497465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:05.546375990 CET520049745154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:05.547365904 CET520049746154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:05.547506094 CET497465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:05.563922882 CET497465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:05.568837881 CET520049746154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:06.932178974 CET520049746154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:06.932250023 CET497465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:08.572891951 CET497465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:08.573699951 CET497475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:08.577804089 CET520049746154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:08.578502893 CET520049747154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:08.578847885 CET497475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:08.595611095 CET497475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:08.600405931 CET520049747154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:09.963850021 CET520049747154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:09.963932037 CET497475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:13.182019949 CET497475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:13.182813883 CET497485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:13.187046051 CET520049747154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:13.187839031 CET520049748154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:13.187939882 CET497485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:13.203804970 CET497485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:13.208667040 CET520049748154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:14.621314049 CET520049748154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:14.621423006 CET497485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:17.650960922 CET497485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:17.651885033 CET497495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:17.655777931 CET520049748154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:17.656804085 CET520049749154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:17.656864882 CET497495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:17.674601078 CET497495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:17.679466009 CET520049749154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:19.060883045 CET520049749154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:19.061078072 CET497495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:21.119721889 CET497495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:21.121649981 CET497505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:21.124613047 CET520049749154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:21.126488924 CET520049750154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:21.126595020 CET497505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:21.143192053 CET497505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:21.148354053 CET520049750154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:22.532212019 CET520049750154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:22.536757946 CET497505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:24.400851011 CET497505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:24.401640892 CET497515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:24.520332098 CET520049750154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:24.520347118 CET520049751154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:24.520488977 CET497515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:24.536423922 CET497515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:24.541255951 CET520049751154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:25.921247959 CET520049751154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:25.921344042 CET497515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:28.010328054 CET497515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:28.011024952 CET497525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:28.015119076 CET520049751154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:28.015850067 CET520049752154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:28.016050100 CET497525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:28.032941103 CET497525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:28.037792921 CET520049752154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:29.401695013 CET520049752154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:29.406296015 CET497525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:30.932188034 CET497525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:30.933470011 CET497535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:30.937042952 CET520049752154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:30.938271999 CET520049753154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:30.938414097 CET497535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:30.954420090 CET497535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:30.959347010 CET520049753154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:32.323044062 CET520049753154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:32.326189995 CET497535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:32.478905916 CET497535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:32.480480909 CET497615200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:32.483774900 CET520049753154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:32.485260963 CET520049761154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:32.488725901 CET497615200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:32.504719973 CET497615200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:32.510103941 CET520049761154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:33.890470982 CET520049761154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:33.890546083 CET497615200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:34.182240963 CET497615200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:34.183337927 CET497715200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:34.187077999 CET520049761154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:34.188170910 CET520049771154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:34.188245058 CET497715200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:34.206454992 CET497715200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:34.211568117 CET520049771154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:35.591887951 CET520049771154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:35.591975927 CET497715200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:36.151338100 CET497715200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:36.153182983 CET497785200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:36.156102896 CET520049771154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:36.157928944 CET520049778154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:36.157999039 CET497785200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:36.183835030 CET497785200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:36.188661098 CET520049778154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:37.574361086 CET520049778154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:37.574423075 CET497785200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:38.041418076 CET497785200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:38.043026924 CET497935200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:38.050201893 CET520049778154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:38.050219059 CET520049793154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:38.050292969 CET497935200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:38.070169926 CET497935200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:38.075005054 CET520049793154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:39.458796978 CET520049793154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:39.460273981 CET497935200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:39.932164907 CET497935200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:39.933840036 CET498025200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:39.936990023 CET520049793154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:39.938600063 CET520049802154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:39.938771963 CET498025200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:39.959117889 CET498025200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:39.963865995 CET520049802154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:41.374666929 CET520049802154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:41.374737978 CET498025200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:41.432111025 CET498025200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:41.433185101 CET498115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:41.437050104 CET520049802154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:41.438044071 CET520049811154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:41.438188076 CET498115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:41.457098007 CET498115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:41.462106943 CET520049811154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:42.843775988 CET520049811154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:42.844008923 CET498115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:43.228935003 CET498115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:43.230901957 CET498225200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:43.233716965 CET520049811154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:43.235733032 CET520049822154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:43.235949039 CET498225200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:43.278950930 CET498225200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:43.283729076 CET520049822154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:45.168796062 CET520049822154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:45.169996977 CET520049822154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:45.170147896 CET498225200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:45.171040058 CET520049822154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:45.173346996 CET498225200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:45.182416916 CET498225200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:45.183144093 CET498285200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:45.187189102 CET520049822154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:45.188205957 CET520049828154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:45.188321114 CET498285200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:45.205343962 CET498285200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:45.210181952 CET520049828154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:46.591228008 CET520049828154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:46.591370106 CET498285200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:46.604180098 CET498285200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:46.605421066 CET498395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:46.609038115 CET520049828154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:46.610213041 CET520049839154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:46.610481977 CET498395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:46.626142979 CET498395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:46.631397009 CET520049839154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:48.030028105 CET520049839154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:48.030159950 CET498395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:52.635251999 CET498395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:52.637691975 CET498765200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:52.640039921 CET520049839154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:52.642474890 CET520049876154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:52.642641068 CET498765200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:52.711637020 CET498765200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:52.716470957 CET520049876154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:52.732026100 CET498765200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:52.736859083 CET520049876154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:54.063539982 CET520049876154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:54.063900948 CET498765200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:58.057157993 CET498765200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:58.061085939 CET499115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:58.179420948 CET520049876154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:58.179435015 CET520049911154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:58.179544926 CET499115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:58.236435890 CET499115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:58.241321087 CET520049911154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:58.432352066 CET499115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:58.438424110 CET520049911154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:58.447901011 CET499115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:32:58.452697039 CET520049911154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:59.626970053 CET520049911154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:32:59.629596949 CET499115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:03.620196104 CET499115200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:03.621612072 CET499475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:03.625046968 CET520049911154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:03.626480103 CET520049947154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:03.626606941 CET499475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:03.739393950 CET499475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:03.744200945 CET520049947154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:04.151176929 CET499475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:04.156040907 CET520049947154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:04.276654959 CET499475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:04.281553030 CET520049947154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:04.338567019 CET499475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:04.343470097 CET520049947154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:04.354228020 CET499475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:04.359163046 CET520049947154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:05.027529001 CET520049947154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:05.027843952 CET499475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:09.386526108 CET499475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:09.388668060 CET499875200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:09.391516924 CET520049947154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:09.393516064 CET520049987154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:09.394073963 CET499875200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:09.495548964 CET499875200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:09.500421047 CET520049987154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:10.777558088 CET520049987154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:10.778234959 CET499875200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:14.697745085 CET499875200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:14.700131893 CET500165200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:14.703356981 CET520049987154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:14.704989910 CET520050016154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:14.705302954 CET500165200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:14.778523922 CET500165200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:14.784444094 CET520050016154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:15.965953112 CET500165200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:15.970756054 CET520050016154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:16.125356913 CET520050016154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:16.125499964 CET500165200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:21.047406912 CET500165200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:21.054160118 CET520050016154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:21.058216095 CET500345200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:21.065277100 CET520050034154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:21.066226959 CET500345200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:21.382209063 CET500345200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:21.387002945 CET520050034154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:21.620060921 CET500345200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:21.624912977 CET520050034154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:21.791639090 CET500345200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:21.796417952 CET520050034154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:21.932301044 CET500345200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:21.937108040 CET520050034154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:21.947936058 CET500345200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:21.952745914 CET520050034154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:22.517956972 CET520050034154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:22.518027067 CET500345200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:26.948040962 CET500345200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:26.949774027 CET500355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:26.952946901 CET520050034154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:26.954581976 CET520050035154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:26.954643965 CET500355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:27.130208015 CET500355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:27.494683981 CET500355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:28.006429911 CET520050035154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:28.006445885 CET520050035154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:28.340679884 CET520050035154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:28.340786934 CET500355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:32.197711945 CET500355200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:32.200546026 CET500365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:32.202591896 CET520050035154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:32.205410004 CET520050036154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:32.205492020 CET500365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:32.243019104 CET500365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:32.425786018 CET520050036154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:33.590329885 CET520050036154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:33.594341993 CET500365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:37.260366917 CET500365200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:37.261929035 CET500375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:37.265258074 CET520050036154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:37.266757011 CET520050037154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:37.266944885 CET500375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:37.509207010 CET500375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:37.514170885 CET520050037154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:38.483659983 CET500375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:38.488598108 CET520050037154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:38.703099012 CET520050037154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:38.703206062 CET500375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:42.744846106 CET500375200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:42.747137070 CET500385200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:42.749742985 CET520050037154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:42.752026081 CET520050038154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:42.752104998 CET500385200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:42.791568041 CET500385200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:42.796659946 CET520050038154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:44.155360937 CET520050038154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:44.155431986 CET500385200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:47.869680882 CET500385200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:47.872302055 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:47.876307011 CET520050038154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:47.878808975 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:47.880415916 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:47.950103998 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:47.955152035 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:48.166776896 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:48.171663046 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:48.198050022 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:48.203655005 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:48.229306936 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:48.234170914 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:48.401272058 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:48.406338930 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:48.416997910 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:48.421924114 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:48.526305914 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:48.531217098 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:48.744961977 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:48.749924898 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:49.306372881 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:49.310390949 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:53.744719028 CET500395200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:53.749638081 CET520050039154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:53.751338959 CET500405200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:53.756212950 CET520050040154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:53.756623030 CET500405200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:53.822619915 CET500405200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:53.827461958 CET520050040154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:55.153467894 CET520050040154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:55.153565884 CET500405200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:59.088536024 CET500405200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:59.091352940 CET500415200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:59.093591928 CET520050040154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:59.096318960 CET520050041154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:33:59.096473932 CET500415200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:59.234359026 CET500415200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:33:59.239168882 CET520050041154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:00.502798080 CET520050041154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:00.502895117 CET500415200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:04.494832039 CET500415200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:04.498440981 CET500425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:04.500011921 CET520050041154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:04.503384113 CET520050042154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:04.503524065 CET500425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:04.539063931 CET500425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:04.544166088 CET520050042154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:05.907906055 CET520050042154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:05.907984018 CET500425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.557763100 CET500425200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.560854912 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.562695980 CET520050042154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:09.565803051 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:09.565865040 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.617470026 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.622536898 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:09.682446957 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.687405109 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:09.698165894 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.703167915 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:09.745237112 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.750250101 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:09.760574102 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.765655994 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:09.791708946 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:09.796670914 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:10.026264906 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:10.031244040 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:10.041810036 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:10.046710968 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:10.950778961 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:10.950902939 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:15.166861057 CET500435200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:15.168653965 CET500445200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:15.171674013 CET520050043154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:15.174727917 CET520050044154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:15.174797058 CET500445200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:15.218893051 CET500445200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:15.225169897 CET520050044154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:15.260720968 CET500445200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:15.265599966 CET520050044154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:15.276462078 CET500445200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:15.281330109 CET520050044154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:16.595428944 CET520050044154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:16.595513105 CET500445200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:20.291594982 CET500445200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:20.293189049 CET500455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:20.296386003 CET520050044154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:20.298103094 CET520050045154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:20.298238993 CET500455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:20.383816004 CET500455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:20.388993979 CET520050045154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:20.573107004 CET500455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:20.578025103 CET520050045154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:21.741364002 CET520050045154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:21.741457939 CET500455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:25.620029926 CET500455200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:25.623269081 CET500465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:25.624893904 CET520050045154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:25.628149033 CET520050046154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:25.628211975 CET500465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:25.672350883 CET500465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:25.677239895 CET520050046154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:25.729566097 CET500465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:25.734471083 CET520050046154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:27.033001900 CET520050046154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:27.033107996 CET500465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:31.104214907 CET500465200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:31.105273962 CET500475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:31.109148026 CET520050046154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:31.110116005 CET520050047154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:31.110282898 CET500475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:31.155270100 CET500475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:31.160381079 CET520050047154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:32.528989077 CET520050047154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:32.530479908 CET500475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:36.292380095 CET500475200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:36.293792963 CET500485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:36.297277927 CET520050047154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:36.298713923 CET520050048154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:36.298952103 CET500485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:36.404750109 CET500485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:36.409630060 CET520050048154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:37.705462933 CET520050048154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:37.705518961 CET500485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:41.511147976 CET500485200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:41.512679100 CET500495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:41.517153025 CET520050048154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:41.517744064 CET520050049154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:41.517818928 CET500495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:41.604285955 CET500495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:41.609117985 CET520050049154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:42.182508945 CET500495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:42.187433958 CET520050049154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:42.698420048 CET500495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:42.703404903 CET520050049154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:42.713604927 CET500495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:42.718394041 CET520050049154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:42.923857927 CET520050049154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:42.923949957 CET500495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:42.926796913 CET500495200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:42.927934885 CET500505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:42.931575060 CET520050049154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:42.932715893 CET520050050154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:42.932780981 CET500505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:42.977288008 CET500505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:42.982163906 CET520050050154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:43.057605982 CET500505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:43.063196898 CET520050050154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:43.120388031 CET500505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:43.125363111 CET520050050154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:43.762298107 CET500505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:43.767683983 CET520050050154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:44.353684902 CET520050050154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:44.353749990 CET500505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:48.279428959 CET500505200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:48.280863047 CET500515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:48.284235954 CET520050050154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:48.285675049 CET520050051154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:48.285778999 CET500515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:48.349180937 CET500515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:48.353993893 CET520050051154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:49.739953041 CET520050051154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:49.740046024 CET500515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:53.526297092 CET500515200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:53.527132034 CET500525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:53.531167984 CET520050051154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:53.532006025 CET520050052154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:53.532191038 CET500525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:53.662319899 CET500525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:53.667176962 CET520050052154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:54.919994116 CET520050052154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:54.920073032 CET500525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:58.714576960 CET500525200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:58.718647003 CET500535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:58.719400883 CET520050052154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:58.723459005 CET520050053154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:34:58.723536968 CET500535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:58.760118008 CET500535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:34:58.764904976 CET520050053154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:00.128449917 CET520050053154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:00.130398989 CET500535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:04.045603037 CET500535200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:04.047445059 CET500545200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:04.053936958 CET520050053154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:04.053953886 CET520050054154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:04.054078102 CET500545200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:04.225145102 CET500545200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:04.233359098 CET520050054154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:05.451806068 CET520050054154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:05.451889992 CET500545200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:09.458354950 CET500545200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:09.463299990 CET520050054154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:09.492197990 CET500555200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:09.497096062 CET520050055154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:09.497199059 CET500555200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:09.687170029 CET500555200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:09.692003012 CET520050055154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:10.891172886 CET520050055154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:10.891232014 CET500555200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:14.791743040 CET500555200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:14.795219898 CET500565200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:14.796597004 CET520050055154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:14.800081015 CET520050056154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:14.800158024 CET500565200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:14.852298021 CET500565200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:14.857227087 CET520050056154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:14.901259899 CET500565200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:14.906065941 CET520050056154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:15.057673931 CET500565200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:15.062655926 CET520050056154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:16.205010891 CET520050056154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:16.205118895 CET500565200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:20.057394981 CET500565200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:20.058852911 CET500575200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:20.062184095 CET520050056154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:20.063673019 CET520050057154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:20.063751936 CET500575200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:20.120598078 CET500575200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:20.125478029 CET520050057154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:20.229569912 CET500575200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:20.234426975 CET520050057154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:20.649614096 CET500575200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:20.654486895 CET520050057154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:21.452459097 CET520050057154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:21.452653885 CET500575200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:25.260498047 CET500575200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:25.263823032 CET500585200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:25.265414000 CET520050057154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:25.268660069 CET520050058154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:25.268837929 CET500585200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:25.464371920 CET500585200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:25.469331026 CET520050058154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:25.620135069 CET500585200192.168.2.4154.39.0.150
                                                                      Jan 10, 2025 21:35:25.625199080 CET520050058154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:26.674323082 CET520050058154.39.0.150192.168.2.4
                                                                      Jan 10, 2025 21:35:26.674392939 CET500585200192.168.2.4154.39.0.150

                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:15:31:37
                                                                      Start date:10/01/2025
                                                                      Path:C:\Users\user\Desktop\3WQwD4Z4L7.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\3WQwD4Z4L7.exe"
                                                                      Imagebase:0xc50000
                                                                      File size:804'352 bytes
                                                                      MD5 hash:D3B756EA02A2CF77EC1EDC7F33F5EADD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1728911401.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1729244829.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1729244829.0000000003FF9000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1729244829.0000000004864000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1729244829.0000000004864000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:true

                                                                      General

                                                                      Target ID:2
                                                                      Start time:15:31:38
                                                                      Start date:10/01/2025
                                                                      Path:C:\Users\user\Desktop\3WQwD4Z4L7.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\3WQwD4Z4L7.exe"
                                                                      Imagebase:0xbd0000
                                                                      File size:804'352 bytes
                                                                      MD5 hash:D3B756EA02A2CF77EC1EDC7F33F5EADD
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.4184269379.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.4184269379.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      General

                                                                      Target ID:9
                                                                      Start time:15:35:26
                                                                      Start date:10/01/2025
                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7624 -s 2056
                                                                      Imagebase:0x340000
                                                                      File size:483'680 bytes
                                                                      MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:10.6%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:2.3%
                                                                        Total number of Nodes:220
                                                                        Total number of Limit Nodes:11
                                                                        execution_graph 28072 2e84668 28073 2e8467a 28072->28073 28074 2e84686 28073->28074 28076 2e84779 28073->28076 28077 2e8479d 28076->28077 28081 2e84878 28077->28081 28085 2e84888 28077->28085 28082 2e848af 28081->28082 28083 2e8498c 28082->28083 28089 2e844b0 28082->28089 28083->28083 28087 2e848af 28085->28087 28086 2e8498c 28087->28086 28088 2e844b0 CreateActCtxA 28087->28088 28088->28086 28090 2e85918 CreateActCtxA 28089->28090 28092 2e859db 28090->28092 28127 2e8d4d8 28128 2e8d51e 28127->28128 28132 2e8d6a8 28128->28132 28135 2e8d6b8 28128->28135 28129 2e8d60b 28138 2e8b830 28132->28138 28136 2e8d6e6 28135->28136 28137 2e8b830 DuplicateHandle 28135->28137 28136->28129 28137->28136 28139 2e8d720 DuplicateHandle 28138->28139 28140 2e8d6e6 28139->28140 28140->28129 28114 76066c1 28116 76066c4 28114->28116 28115 7606729 28116->28115 28117 7607cc0 VirtualProtect 28116->28117 28118 7607cb8 VirtualProtect 28116->28118 28117->28116 28118->28116 28093 76059b4 28097 7607cb8 28093->28097 28100 7607cc0 28093->28100 28094 76059e5 28098 7607d08 VirtualProtect 28097->28098 28099 7607d42 28098->28099 28099->28094 28101 7607d08 VirtualProtect 28100->28101 28102 7607d42 28101->28102 28102->28094 28119 7605f46 28121 7607cc0 VirtualProtect 28119->28121 28122 7607cb8 VirtualProtect 28119->28122 28120 7605f5d 28121->28120 28122->28120 28149 2e8ad50 28150 2e8ad5f 28149->28150 28153 2e8ae48 28149->28153 28158 2e8ae37 28149->28158 28154 2e8ae59 28153->28154 28155 2e8ae7c 28153->28155 28154->28155 28156 2e8b080 GetModuleHandleW 28154->28156 28155->28150 28157 2e8b0ad 28156->28157 28157->28150 28159 2e8ae7c 28158->28159 28160 2e8ae59 28158->28160 28159->28150 28160->28159 28161 2e8b080 GetModuleHandleW 28160->28161 28162 2e8b0ad 28161->28162 28162->28150 28107 7096790 28108 709691b 28107->28108 28109 70967b6 28107->28109 28109->28108 28111 709638c 28109->28111 28112 7096a10 PostMessageW 28111->28112 28113 7096a7c 28112->28113 28113->28109 28163 70947f3 28164 7094757 28163->28164 28165 70947b2 28164->28165 28169 7095128 28164->28169 28187 709519e 28164->28187 28206 7095138 28164->28206 28170 709512c 28169->28170 28224 7095beb 28170->28224 28228 70955f6 28170->28228 28233 7095556 28170->28233 28238 7095733 28170->28238 28243 7095b11 28170->28243 28248 7095ed1 28170->28248 28252 709579e 28170->28252 28257 7095a1b 28170->28257 28265 7095bd8 28170->28265 28271 7095759 28170->28271 28277 7095899 28170->28277 28282 7095685 28170->28282 28287 7095802 28170->28287 28298 709588e 28170->28298 28303 70955ed 28170->28303 28171 709515a 28171->28164 28188 709512c 28187->28188 28190 70951a1 28187->28190 28191 7095beb 2 API calls 28188->28191 28192 70955ed 2 API calls 28188->28192 28193 709588e 2 API calls 28188->28193 28194 7095802 4 API calls 28188->28194 28195 7095685 2 API calls 28188->28195 28196 7095899 2 API calls 28188->28196 28197 7095759 2 API calls 28188->28197 28198 7095bd8 2 API calls 28188->28198 28199 7095a1b 2 API calls 28188->28199 28200 709579e 2 API calls 28188->28200 28201 7095ed1 2 API calls 28188->28201 28202 7095b11 2 API calls 28188->28202 28203 7095733 2 API calls 28188->28203 28204 7095556 2 API calls 28188->28204 28205 70955f6 2 API calls 28188->28205 28189 709515a 28189->28164 28190->28164 28191->28189 28192->28189 28193->28189 28194->28189 28195->28189 28196->28189 28197->28189 28198->28189 28199->28189 28200->28189 28201->28189 28202->28189 28203->28189 28204->28189 28205->28189 28207 7095152 28206->28207 28209 7095beb 2 API calls 28207->28209 28210 70955ed 2 API calls 28207->28210 28211 709588e 2 API calls 28207->28211 28212 7095802 4 API calls 28207->28212 28213 7095685 2 API calls 28207->28213 28214 7095899 2 API calls 28207->28214 28215 7095759 2 API calls 28207->28215 28216 7095bd8 2 API calls 28207->28216 28217 7095a1b 2 API calls 28207->28217 28218 709579e 2 API calls 28207->28218 28219 7095ed1 2 API calls 28207->28219 28220 7095b11 2 API calls 28207->28220 28221 7095733 2 API calls 28207->28221 28222 7095556 2 API calls 28207->28222 28223 70955f6 2 API calls 28207->28223 28208 709515a 28208->28164 28209->28208 28210->28208 28211->28208 28212->28208 28213->28208 28214->28208 28215->28208 28216->28208 28217->28208 28218->28208 28219->28208 28220->28208 28221->28208 28222->28208 28223->28208 28308 7094148 28224->28308 28312 7094140 28224->28312 28225 7095c0d 28225->28171 28229 709557c 28228->28229 28316 70942e0 28229->28316 28320 70942d4 28229->28320 28234 709557c 28233->28234 28236 70942e0 CreateProcessA 28234->28236 28237 70942d4 CreateProcessA 28234->28237 28235 7095650 28235->28171 28236->28235 28237->28235 28239 7095756 28238->28239 28324 7094058 28239->28324 28328 7094051 28239->28328 28240 70957d1 28240->28171 28244 7095b17 28243->28244 28332 70939d8 28244->28332 28336 70939d0 28244->28336 28245 7095b3d 28340 7093a88 28248->28340 28344 7093a80 28248->28344 28249 7095eeb 28253 70957a2 28252->28253 28255 7094058 WriteProcessMemory 28253->28255 28256 7094051 WriteProcessMemory 28253->28256 28254 70957d1 28254->28171 28255->28254 28256->28254 28258 7095a21 28257->28258 28259 709567b 28258->28259 28260 70957d1 28258->28260 28261 7094058 WriteProcessMemory 28258->28261 28262 7094051 WriteProcessMemory 28258->28262 28259->28260 28263 7094058 WriteProcessMemory 28259->28263 28264 7094051 WriteProcessMemory 28259->28264 28260->28171 28261->28258 28262->28258 28263->28260 28264->28260 28266 7095b28 28265->28266 28267 7095be5 28265->28267 28269 70939d8 ResumeThread 28266->28269 28270 70939d0 ResumeThread 28266->28270 28268 7095b3d 28269->28268 28270->28268 28272 70958b7 28271->28272 28273 70956b9 28271->28273 28275 7093a88 Wow64SetThreadContext 28272->28275 28276 7093a80 Wow64SetThreadContext 28272->28276 28274 709576c 28274->28171 28275->28274 28276->28274 28278 709589e 28277->28278 28280 7094058 WriteProcessMemory 28278->28280 28281 7094051 WriteProcessMemory 28278->28281 28279 7095ea1 28280->28279 28281->28279 28283 7095686 28282->28283 28284 70957d1 28283->28284 28285 7094058 WriteProcessMemory 28283->28285 28286 7094051 WriteProcessMemory 28283->28286 28284->28171 28285->28284 28286->28284 28288 7095808 28287->28288 28289 709567b 28288->28289 28348 70961c8 28288->28348 28353 70961b8 28288->28353 28290 70957d1 28289->28290 28292 7094058 WriteProcessMemory 28289->28292 28293 7094051 WriteProcessMemory 28289->28293 28290->28171 28291 7095828 28291->28289 28291->28290 28296 7094058 WriteProcessMemory 28291->28296 28297 7094051 WriteProcessMemory 28291->28297 28292->28290 28293->28290 28296->28291 28297->28291 28299 709589e 28298->28299 28300 7095891 28298->28300 28301 7094058 WriteProcessMemory 28299->28301 28302 7094051 WriteProcessMemory 28299->28302 28301->28300 28302->28300 28304 7095580 28303->28304 28305 7095650 28304->28305 28306 70942e0 CreateProcessA 28304->28306 28307 70942d4 CreateProcessA 28304->28307 28305->28171 28306->28305 28307->28305 28309 7094193 ReadProcessMemory 28308->28309 28311 70941d7 28309->28311 28311->28225 28313 7094149 ReadProcessMemory 28312->28313 28315 70941d7 28313->28315 28315->28225 28317 7094369 CreateProcessA 28316->28317 28319 709452b 28317->28319 28321 70942d2 28320->28321 28321->28320 28322 70944ce CreateProcessA 28321->28322 28323 709452b 28322->28323 28325 70940a0 WriteProcessMemory 28324->28325 28327 70940f7 28325->28327 28327->28240 28329 7094058 WriteProcessMemory 28328->28329 28331 70940f7 28329->28331 28331->28240 28333 7093a18 ResumeThread 28332->28333 28335 7093a49 28333->28335 28335->28245 28337 7093a18 ResumeThread 28336->28337 28339 7093a49 28337->28339 28339->28245 28341 7093acd Wow64SetThreadContext 28340->28341 28343 7093b15 28341->28343 28343->28249 28345 7093acd Wow64SetThreadContext 28344->28345 28347 7093b15 28345->28347 28347->28249 28349 70961dd 28348->28349 28359 7093f93 28349->28359 28363 7093f98 28349->28363 28350 70961fc 28350->28291 28354 7096241 28353->28354 28355 70961c6 28353->28355 28354->28291 28357 7093f98 VirtualAllocEx 28355->28357 28358 7093f93 VirtualAllocEx 28355->28358 28356 70961fc 28356->28291 28357->28356 28358->28356 28360 7093f98 VirtualAllocEx 28359->28360 28362 7094015 28360->28362 28362->28350 28364 7093fd8 VirtualAllocEx 28363->28364 28366 7094015 28364->28366 28366->28350

                                                                        Executed Functions

                                                                        Function 07602C96 Relevance: 4.1, Strings: 3, Instructions: 317COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 372 7602c96-7602c9d 373 7602c9f-7602ca0 372->373 374 7602ca2-7602cab 373->374 375 7602cc4-7602cf1 373->375 374->375 375->373 377 7602cf3-7602d1d 375->377 379 7602d24-7602d62 call 76032a0 377->379 380 7602d1f 377->380 382 7602d68 379->382 380->379 383 7602d6f-7602d8b 382->383 384 7602d94-7602d95 383->384 385 7602d8d 383->385 394 76030eb-76030f2 384->394 385->382 385->384 386 7602ea0-7602eac 385->386 387 7602f61-7602f6e 385->387 388 76030a5-76030b1 385->388 389 7602f06-7602f26 385->389 390 7602e66-7602e78 385->390 391 7602f47-7602f5c 385->391 392 7602dc7-7602dd9 385->392 393 7602eca-7602eea 385->393 385->394 395 7602f2b-7602f42 385->395 396 7602f8d-7602f91 385->396 397 7602fed-7602ff9 385->397 398 7602eef-7602f01 385->398 399 76030cf-76030e6 385->399 400 7602e10-7602e28 385->400 401 7602f73-7602f88 385->401 402 7602d9a-7602d9e 385->402 403 7602ddb-7602de4 385->403 404 760307b-76030a0 385->404 405 7602fbd-7602fc1 385->405 406 7602e7d-7602e9b 385->406 407 7602eb3-7602ec5 386->407 408 7602eae 386->408 387->383 413 76030b3 388->413 414 76030b8-76030ca 388->414 389->383 390->383 391->383 392->383 393->383 395->383 415 7602f93-7602fa2 396->415 416 7602fa4-7602fab 396->416 421 7603000-7603016 397->421 422 7602ffb 397->422 398->383 399->383 417 7602e2a 400->417 418 7602e2f-7602e45 400->418 401->383 409 7602da0-7602daf 402->409 410 7602db1-7602db8 402->410 411 7602de6-7602df5 403->411 412 7602df7-7602dfe 403->412 404->383 419 7602fc3-7602fd2 405->419 420 7602fd4-7602fdb 405->420 406->383 407->383 408->407 425 7602dbf-7602dc5 409->425 410->425 427 7602e05-7602e0b 411->427 412->427 413->414 414->383 429 7602fb2-7602fb8 415->429 416->429 417->418 437 7602e47 418->437 438 7602e4c-7602e61 418->438 430 7602fe2-7602fe8 419->430 420->430 435 7603018 421->435 436 760301d-7603033 421->436 422->421 425->383 427->383 429->383 430->383 435->436 441 7603035 436->441 442 760303a-7603050 436->442 437->438 438->383 441->442 444 7603052 442->444 445 7603057-7603076 442->445 444->445 445->383
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ry$ry$ry
                                                                        • API String ID: 0-128149707
                                                                        • Opcode ID: 13d10e44b96a2b4879799f4f1e98b8c5d9ad83b4d46ab51fc92af5480b5b4ad6
                                                                        • Instruction ID: 48af3acb7330d521894d4e62e69ba063cd444d488a58303c31dfe808e0025688
                                                                        • Opcode Fuzzy Hash: 13d10e44b96a2b4879799f4f1e98b8c5d9ad83b4d46ab51fc92af5480b5b4ad6
                                                                        • Instruction Fuzzy Hash: 83D18FB5D0520ADFCB08CFA5D4994AEFBB2FF89300F15C156D412AB294D734AA82CF90
                                                                        Function 07602CAD Relevance: 4.1, Strings: 3, Instructions: 314COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 448 7602cad-7602cc3 449 7602cc4-7602cf1 448->449 451 7602cf3-7602d1d 449->451 452 7602c9f-7602ca0 449->452 455 7602d24-7602d62 call 76032a0 451->455 456 7602d1f 451->456 452->449 454 7602ca2-7602cab 452->454 454->449 458 7602d68 455->458 456->455 459 7602d6f-7602d8b 458->459 460 7602d94-7602d95 459->460 461 7602d8d 459->461 470 76030eb-76030f2 460->470 461->458 461->460 462 7602ea0-7602eac 461->462 463 7602f61-7602f6e 461->463 464 76030a5-76030b1 461->464 465 7602f06-7602f26 461->465 466 7602e66-7602e78 461->466 467 7602f47-7602f5c 461->467 468 7602dc7-7602dd9 461->468 469 7602eca-7602eea 461->469 461->470 471 7602f2b-7602f42 461->471 472 7602f8d-7602f91 461->472 473 7602fed-7602ff9 461->473 474 7602eef-7602f01 461->474 475 76030cf-76030e6 461->475 476 7602e10-7602e28 461->476 477 7602f73-7602f88 461->477 478 7602d9a-7602d9e 461->478 479 7602ddb-7602de4 461->479 480 760307b-76030a0 461->480 481 7602fbd-7602fc1 461->481 482 7602e7d-7602e9b 461->482 483 7602eb3-7602ec5 462->483 484 7602eae 462->484 463->459 489 76030b3 464->489 490 76030b8-76030ca 464->490 465->459 466->459 467->459 468->459 469->459 471->459 491 7602f93-7602fa2 472->491 492 7602fa4-7602fab 472->492 497 7603000-7603016 473->497 498 7602ffb 473->498 474->459 475->459 493 7602e2a 476->493 494 7602e2f-7602e45 476->494 477->459 485 7602da0-7602daf 478->485 486 7602db1-7602db8 478->486 487 7602de6-7602df5 479->487 488 7602df7-7602dfe 479->488 480->459 495 7602fc3-7602fd2 481->495 496 7602fd4-7602fdb 481->496 482->459 483->459 484->483 501 7602dbf-7602dc5 485->501 486->501 503 7602e05-7602e0b 487->503 488->503 489->490 490->459 505 7602fb2-7602fb8 491->505 492->505 493->494 513 7602e47 494->513 514 7602e4c-7602e61 494->514 506 7602fe2-7602fe8 495->506 496->506 511 7603018 497->511 512 760301d-7603033 497->512 498->497 501->459 503->459 505->459 506->459 511->512 517 7603035 512->517 518 760303a-7603050 512->518 513->514 514->459 517->518 520 7603052 518->520 521 7603057-7603076 518->521 520->521 521->459
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ry$ry$ry
                                                                        • API String ID: 0-128149707
                                                                        • Opcode ID: 4e5ebc048dee85002c791022efbda07a268ce2d4bd0bf46062add4206477b14a
                                                                        • Instruction ID: ec082e743a35fa19db0bf29cb964b2f2646b8a2f503d5e5a58d2925511a062b9
                                                                        • Opcode Fuzzy Hash: 4e5ebc048dee85002c791022efbda07a268ce2d4bd0bf46062add4206477b14a
                                                                        • Instruction Fuzzy Hash: E7D17FB5D05209DFCB08CFA5D4994AEFBB2FF89310F15C155D412AB294D7349A82CF90
                                                                        Function 07602CF8 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 524 7602cf8-7602d1d 525 7602d24-7602d62 call 76032a0 524->525 526 7602d1f 524->526 528 7602d68 525->528 526->525 529 7602d6f-7602d8b 528->529 530 7602d94-7602d95 529->530 531 7602d8d 529->531 540 76030eb-76030f2 530->540 531->528 531->530 532 7602ea0-7602eac 531->532 533 7602f61-7602f6e 531->533 534 76030a5-76030b1 531->534 535 7602f06-7602f26 531->535 536 7602e66-7602e78 531->536 537 7602f47-7602f5c 531->537 538 7602dc7-7602dd9 531->538 539 7602eca-7602eea 531->539 531->540 541 7602f2b-7602f42 531->541 542 7602f8d-7602f91 531->542 543 7602fed-7602ff9 531->543 544 7602eef-7602f01 531->544 545 76030cf-76030e6 531->545 546 7602e10-7602e28 531->546 547 7602f73-7602f88 531->547 548 7602d9a-7602d9e 531->548 549 7602ddb-7602de4 531->549 550 760307b-76030a0 531->550 551 7602fbd-7602fc1 531->551 552 7602e7d-7602e9b 531->552 553 7602eb3-7602ec5 532->553 554 7602eae 532->554 533->529 559 76030b3 534->559 560 76030b8-76030ca 534->560 535->529 536->529 537->529 538->529 539->529 541->529 561 7602f93-7602fa2 542->561 562 7602fa4-7602fab 542->562 567 7603000-7603016 543->567 568 7602ffb 543->568 544->529 545->529 563 7602e2a 546->563 564 7602e2f-7602e45 546->564 547->529 555 7602da0-7602daf 548->555 556 7602db1-7602db8 548->556 557 7602de6-7602df5 549->557 558 7602df7-7602dfe 549->558 550->529 565 7602fc3-7602fd2 551->565 566 7602fd4-7602fdb 551->566 552->529 553->529 554->553 571 7602dbf-7602dc5 555->571 556->571 573 7602e05-7602e0b 557->573 558->573 559->560 560->529 575 7602fb2-7602fb8 561->575 562->575 563->564 583 7602e47 564->583 584 7602e4c-7602e61 564->584 576 7602fe2-7602fe8 565->576 566->576 581 7603018 567->581 582 760301d-7603033 567->582 568->567 571->529 573->529 575->529 576->529 581->582 587 7603035 582->587 588 760303a-7603050 582->588 583->584 584->529 587->588 590 7603052 588->590 591 7603057-7603076 588->591 590->591 591->529
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: ry$ry$ry
                                                                        • API String ID: 0-128149707
                                                                        • Opcode ID: ff7f590ec7d1f8e69126befbcbb9f0fb61dc7986152626d03ac09a96ecd97b86
                                                                        • Instruction ID: 1b46835a3a76884386c3e96cb1d0669f5e9f9b956c84c5e1fb54e94dae4fc97a
                                                                        • Opcode Fuzzy Hash: ff7f590ec7d1f8e69126befbcbb9f0fb61dc7986152626d03ac09a96ecd97b86
                                                                        • Instruction Fuzzy Hash: D1C14AB1D1520ADFCB08CF95D4998AEFBB2FF89300F11D559D412AB298D734A982CF94
                                                                        Function 07600B3D Relevance: 4.0, Strings: 3, Instructions: 249COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 594 7600b3d-7600bb3 596 7600bb5 594->596 597 7600bba-7600c14 594->597 596->597 600 7600c17 597->600 601 7600c1e-7600c3a 600->601 602 7600c43-7600c44 601->602 603 7600c3c 601->603 604 7600df0-7600e60 602->604 605 7600c49-7600c71 602->605 603->600 603->604 603->605 606 7600d60-7600d6d 603->606 607 7600d46-7600d5b 603->607 608 7600c87-7600ca7 603->608 609 7600d0b-7600d41 603->609 610 7600cac-7600cb0 603->610 611 7600dcf-7600deb 603->611 612 7600d93-7600dae 603->612 613 7600c73-7600c85 603->613 614 7600db3-7600dca 603->614 615 7600cdc-7600d06 603->615 631 7600e62 call 7602766 604->631 632 7600e62 call 7602b37 604->632 633 7600e62 call 7602ae8 604->633 634 7600e62 call 7601e7a 604->634 635 7600e62 call 760214b 604->635 605->601 627 7600d76-7600d8e 606->627 607->601 608->601 609->601 616 7600cb2-7600cc1 610->616 617 7600cc3-7600cca 610->617 611->601 612->601 613->601 614->601 615->601 623 7600cd1-7600cd7 616->623 617->623 623->601 627->601 630 7600e68-7600e72 631->630 632->630 633->630 634->630 635->630
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tefq$Tefq$z^I
                                                                        • API String ID: 0-2708104242
                                                                        • Opcode ID: 234b67b0635003d57b32a16337829ac51e385604487df3b4bd66c66b57ffb075
                                                                        • Instruction ID: 8b5be64de3a945ab872e7f488fa094584ee963ee74d5ca8b1e46d347e028cdc6
                                                                        • Opcode Fuzzy Hash: 234b67b0635003d57b32a16337829ac51e385604487df3b4bd66c66b57ffb075
                                                                        • Instruction Fuzzy Hash: ADA1F6B5E102598FCB08CFA9C584ADEFBB2FF89310F14942AD416AB354D7349946CF94
                                                                        Function 07600B76 Relevance: 4.0, Strings: 3, Instructions: 227COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 636 7600b76-7600bb3 637 7600bb5 636->637 638 7600bba-7600c14 636->638 637->638 641 7600c17 638->641 642 7600c1e-7600c3a 641->642 643 7600c43-7600c44 642->643 644 7600c3c 642->644 645 7600df0-7600e60 643->645 646 7600c49-7600c71 643->646 644->641 644->645 644->646 647 7600d60-7600d6d 644->647 648 7600d46-7600d5b 644->648 649 7600c87-7600ca7 644->649 650 7600d0b-7600d41 644->650 651 7600cac-7600cb0 644->651 652 7600dcf-7600deb 644->652 653 7600d93-7600dae 644->653 654 7600c73-7600c85 644->654 655 7600db3-7600dca 644->655 656 7600cdc-7600d06 644->656 672 7600e62 call 7602766 645->672 673 7600e62 call 7602b37 645->673 674 7600e62 call 7602ae8 645->674 675 7600e62 call 7601e7a 645->675 676 7600e62 call 760214b 645->676 646->642 668 7600d76-7600d8e 647->668 648->642 649->642 650->642 657 7600cb2-7600cc1 651->657 658 7600cc3-7600cca 651->658 652->642 653->642 654->642 655->642 656->642 664 7600cd1-7600cd7 657->664 658->664 664->642 668->642 671 7600e68-7600e72 672->671 673->671 674->671 675->671 676->671
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tefq$Tefq$z^I
                                                                        • API String ID: 0-2708104242
                                                                        • Opcode ID: 0af16ca7e13bfdfa6b53d33963b5ab5176e748e116b8da0453e76e3a9463ae79
                                                                        • Instruction ID: 24930a76a0bdffd22b5c661e9f7b0e74fa84a2295144e5970ef8fce06f3c9a4a
                                                                        • Opcode Fuzzy Hash: 0af16ca7e13bfdfa6b53d33963b5ab5176e748e116b8da0453e76e3a9463ae79
                                                                        • Instruction Fuzzy Hash: FB91C3B5E102198FCB08CFAAC5946DEFBB2FF89310F24942AD41AAB354D7349946CF54
                                                                        Function 07600B90 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 677 7600b90-7600bb3 678 7600bb5 677->678 679 7600bba-7600c14 677->679 678->679 682 7600c17 679->682 683 7600c1e-7600c3a 682->683 684 7600c43-7600c44 683->684 685 7600c3c 683->685 686 7600df0-7600e60 684->686 687 7600c49-7600c71 684->687 685->682 685->686 685->687 688 7600d60-7600d6d 685->688 689 7600d46-7600d5b 685->689 690 7600c87-7600ca7 685->690 691 7600d0b-7600d41 685->691 692 7600cac-7600cb0 685->692 693 7600dcf-7600deb 685->693 694 7600d93-7600dae 685->694 695 7600c73-7600c85 685->695 696 7600db3-7600dca 685->696 697 7600cdc-7600d06 685->697 713 7600e62 call 7602766 686->713 714 7600e62 call 7602b37 686->714 715 7600e62 call 7602ae8 686->715 716 7600e62 call 7601e7a 686->716 717 7600e62 call 760214b 686->717 687->683 709 7600d76-7600d8e 688->709 689->683 690->683 691->683 698 7600cb2-7600cc1 692->698 699 7600cc3-7600cca 692->699 693->683 694->683 695->683 696->683 697->683 705 7600cd1-7600cd7 698->705 699->705 705->683 709->683 712 7600e68-7600e72 713->712 714->712 715->712 716->712 717->712
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Tefq$Tefq$z^I
                                                                        • API String ID: 0-2708104242
                                                                        • Opcode ID: 7480b5a6decca6ae1ef1f8e2c402bd5ce25412121e9794818037773e297297f7
                                                                        • Instruction ID: cd1ac1455d90a668b63f500a0f3a195d6d3c4d45c269c2ae861a585f30092cc8
                                                                        • Opcode Fuzzy Hash: 7480b5a6decca6ae1ef1f8e2c402bd5ce25412121e9794818037773e297297f7
                                                                        • Instruction Fuzzy Hash: B791B3B4E112198FCB08CFAAC5846DEFBB2FF89310F24942AD41ABB254D7349946CF54
                                                                        Function 076096B8 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 740 76096b8-76096ed 742 76096f4-7609725 740->742 743 76096ef 740->743 744 7609726 742->744 743->742 745 760972d-7609749 744->745 746 7609752-7609753 745->746 747 760974b 745->747 765 76099bf-76099c8 746->765 747->744 747->746 748 76097e0-76097f2 747->748 749 7609844-7609857 747->749 750 76098c5-76098ce 747->750 751 76099a5-76099ba 747->751 752 7609828-760983f 747->752 753 7609989-76099a0 747->753 754 76098ab-76098c0 747->754 755 7609972-7609984 747->755 756 76098d3-76098fa 747->756 757 7609893-76098a6 747->757 758 76097b4-76097db 747->758 759 76097f7-76097fd call 7609b08 747->759 760 7609758-760979a 747->760 761 760995b-760996d 747->761 762 760985c-7609860 747->762 763 760979c-76097af 747->763 764 760993e-7609956 747->764 747->765 766 76098ff-7609912 747->766 748->745 749->745 750->745 751->745 752->745 753->745 754->745 755->745 756->745 757->745 758->745 771 7609803-7609823 759->771 760->745 761->745 767 7609862-7609871 762->767 768 7609873-760987a 762->768 763->745 764->745 769 7609914-7609923 766->769 770 7609925-760992c 766->770 773 7609881-760988e 767->773 768->773 772 7609933-7609939 769->772 770->772 771->745 772->745 773->745
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: TuA$UC;"
                                                                        • API String ID: 0-2071649361
                                                                        • Opcode ID: fa955b94796be3c6397be348261e67b89b8c732943894220727f204175c61b31
                                                                        • Instruction ID: c0150e270662027857dba5085267bfcad739b8d40c1b6baed2f97be312dfb3c4
                                                                        • Opcode Fuzzy Hash: fa955b94796be3c6397be348261e67b89b8c732943894220727f204175c61b31
                                                                        • Instruction Fuzzy Hash: 7C913DB5D24209DFCB08CFA5E58559EFBB2FF89350F10E426E516A72A4D730A942CF40
                                                                        Function 076096C8 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 779 76096c8-76096ed 780 76096f4-7609725 779->780 781 76096ef 779->781 782 7609726 780->782 781->780 783 760972d-7609749 782->783 784 7609752-7609753 783->784 785 760974b 783->785 803 76099bf-76099c8 784->803 785->782 785->784 786 76097e0-76097f2 785->786 787 7609844-7609857 785->787 788 76098c5-76098ce 785->788 789 76099a5-76099ba 785->789 790 7609828-760983f 785->790 791 7609989-76099a0 785->791 792 76098ab-76098c0 785->792 793 7609972-7609984 785->793 794 76098d3-76098fa 785->794 795 7609893-76098a6 785->795 796 76097b4-76097db 785->796 797 76097f7-76097fd call 7609b08 785->797 798 7609758-760979a 785->798 799 760995b-760996d 785->799 800 760985c-7609860 785->800 801 760979c-76097af 785->801 802 760993e-7609956 785->802 785->803 804 76098ff-7609912 785->804 786->783 787->783 788->783 789->783 790->783 791->783 792->783 793->783 794->783 795->783 796->783 809 7609803-7609823 797->809 798->783 799->783 805 7609862-7609871 800->805 806 7609873-760987a 800->806 801->783 802->783 807 7609914-7609923 804->807 808 7609925-760992c 804->808 811 7609881-760988e 805->811 806->811 810 7609933-7609939 807->810 808->810 809->783 810->783 811->783
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: TuA$UC;"
                                                                        • API String ID: 0-2071649361
                                                                        • Opcode ID: 5370de30e4331d1776fa5800dc7a2f7f1ba38ead612407f2c60ea495821dbdb3
                                                                        • Instruction ID: 96e303e4fd589640ad33ac783ca37afda996ce7e41def9a58b8a9800ea310f9a
                                                                        • Opcode Fuzzy Hash: 5370de30e4331d1776fa5800dc7a2f7f1ba38ead612407f2c60ea495821dbdb3
                                                                        • Instruction Fuzzy Hash: 58912EB5D24209DFCB08CFE5E58459EFBB2FF89350F10A426E516A72A4D730A942CF50
                                                                        Function 07608090 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 5=6
                                                                        • API String ID: 0-2897083178
                                                                        • Opcode ID: e98e76ad7ed6c455f6adc2c61e280acc3d0fb0dde1367197af34c7291d801872
                                                                        • Instruction ID: 342de15e1b3c1f5b443d857cf4e3ce5f9ea2b85b41752f1ef3877aa30536346c
                                                                        • Opcode Fuzzy Hash: e98e76ad7ed6c455f6adc2c61e280acc3d0fb0dde1367197af34c7291d801872
                                                                        • Instruction Fuzzy Hash: 8E7149B4E1560ADFCB08CFA5D9454AEFBF2FF89200F10E56AD016E7254EB349A018F94
                                                                        Function 076080A0 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 5=6
                                                                        • API String ID: 0-2897083178
                                                                        • Opcode ID: 873c897b5a0e845c8f3af21e1bd0a4485e447c9ec247434c2b4d52145815f914
                                                                        • Instruction ID: c11f7918c0213991e2d18ba9b24aa6431cb51a3329294d57cc0f2adbadec7303
                                                                        • Opcode Fuzzy Hash: 873c897b5a0e845c8f3af21e1bd0a4485e447c9ec247434c2b4d52145815f914
                                                                        • Instruction Fuzzy Hash: 686129B4E1560A9FCB08CFA5D9454AFFBF2FF89200F10E56AD016E7254EB349A018F94
                                                                        Function 07097780 Relevance: .6, Instructions: 591COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6ea374543e7ff9c0e08c9d6333a1ca01714c5def1f61159e051bd8bbbde1a1e4
                                                                        • Instruction ID: ba533aa6e446132c1be5928bba46301782ed188ae7c425f72c3a2b2c390f2a75
                                                                        • Opcode Fuzzy Hash: 6ea374543e7ff9c0e08c9d6333a1ca01714c5def1f61159e051bd8bbbde1a1e4
                                                                        • Instruction Fuzzy Hash: F6229CB1B112058FDB19EB79C550BAEBBF6AF89300F1091B9E14A9B391CB34ED01DB51
                                                                        Function 07601E7A Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 8273db75e3af23dde8b799d38dced0ce0ccc9911a9bd7476970fa4a48663fe57
                                                                        • Instruction ID: 1ab543628beca82003af2975d94f36472200507705d71dd2580054a99ac79272
                                                                        • Opcode Fuzzy Hash: 8273db75e3af23dde8b799d38dced0ce0ccc9911a9bd7476970fa4a48663fe57
                                                                        • Instruction Fuzzy Hash: 1A2128B1E006188BDB18CFAAD9457CEFBF2BFC9300F14C16AD809A6258DB345946CF50
                                                                        Function 0709588E Relevance: .0, Instructions: 42COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b3cd0bbf60e1a100b7ebb04cdbb8190bd2ba34d959f3f06896a0f1dc4570a432
                                                                        • Instruction ID: ce7b6f43dcbffa80b03f40962aba17d15877a7db34ce48ba42ded3e562139574
                                                                        • Opcode Fuzzy Hash: b3cd0bbf60e1a100b7ebb04cdbb8190bd2ba34d959f3f06896a0f1dc4570a432
                                                                        • Instruction Fuzzy Hash: A50146B5818318CFCB91CF14DC80BECFBB8AB5A310F1012E6E819A7282C7319A90DF10
                                                                        Function 070942D4 Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 817 70942d4-70942d8 818 70942da-7094375 817->818 819 70942d2 817->819 822 70943ae-70943ce 818->822 823 7094377-7094381 818->823 819->817 828 70943d0-70943da 822->828 829 7094407-7094436 822->829 823->822 824 7094383-7094385 823->824 825 70943a8-70943ab 824->825 826 7094387-7094391 824->826 825->822 830 7094393 826->830 831 7094395-70943a4 826->831 828->829 832 70943dc-70943de 828->832 839 7094438-7094442 829->839 840 709446f-70944c7 829->840 830->831 831->831 833 70943a6 831->833 834 7094401-7094404 832->834 835 70943e0-70943ea 832->835 833->825 834->829 837 70943ec 835->837 838 70943ee-70943fd 835->838 837->838 838->838 841 70943ff 838->841 839->840 842 7094444-7094446 839->842 850 70944ce-7094529 CreateProcessA 840->850 841->834 844 7094469-709446c 842->844 845 7094448-7094452 842->845 844->840 846 7094454 845->846 847 7094456-7094465 845->847 846->847 847->847 849 7094467 847->849 849->844 851 709452b-7094531 850->851 852 7094532-70945b8 850->852 851->852 862 70945c8-70945cc 852->862 863 70945ba-70945be 852->863 865 70945dc-70945e0 862->865 866 70945ce-70945d2 862->866 863->862 864 70945c0 863->864 864->862 867 70945f0-70945f4 865->867 868 70945e2-70945e6 865->868 866->865 869 70945d4 866->869 871 7094606-709460d 867->871 872 70945f6-70945fc 867->872 868->867 870 70945e8 868->870 869->865 870->867 873 709460f-709461e 871->873 874 7094624 871->874 872->871 873->874 876 7094625 874->876 876->876
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07094516
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 35b378cc118df4d45eae442ca828c0c2fe87ef45f4df76bf64e17bdb7e18e32a
                                                                        • Instruction ID: b158e62a6b43f32c5d535ad3f62a2ba25bd7b098e84185f7928efdba913695ed
                                                                        • Opcode Fuzzy Hash: 35b378cc118df4d45eae442ca828c0c2fe87ef45f4df76bf64e17bdb7e18e32a
                                                                        • Instruction Fuzzy Hash: 40A14CB1D0065ADFDF24CFA8C8417DEBBF2AF44310F148269E848A7240DB749986DF91
                                                                        Function 070942E0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 877 70942e0-7094375 879 70943ae-70943ce 877->879 880 7094377-7094381 877->880 885 70943d0-70943da 879->885 886 7094407-7094436 879->886 880->879 881 7094383-7094385 880->881 882 70943a8-70943ab 881->882 883 7094387-7094391 881->883 882->879 887 7094393 883->887 888 7094395-70943a4 883->888 885->886 889 70943dc-70943de 885->889 896 7094438-7094442 886->896 897 709446f-7094529 CreateProcessA 886->897 887->888 888->888 890 70943a6 888->890 891 7094401-7094404 889->891 892 70943e0-70943ea 889->892 890->882 891->886 894 70943ec 892->894 895 70943ee-70943fd 892->895 894->895 895->895 898 70943ff 895->898 896->897 899 7094444-7094446 896->899 908 709452b-7094531 897->908 909 7094532-70945b8 897->909 898->891 901 7094469-709446c 899->901 902 7094448-7094452 899->902 901->897 903 7094454 902->903 904 7094456-7094465 902->904 903->904 904->904 906 7094467 904->906 906->901 908->909 919 70945c8-70945cc 909->919 920 70945ba-70945be 909->920 922 70945dc-70945e0 919->922 923 70945ce-70945d2 919->923 920->919 921 70945c0 920->921 921->919 924 70945f0-70945f4 922->924 925 70945e2-70945e6 922->925 923->922 926 70945d4 923->926 928 7094606-709460d 924->928 929 70945f6-70945fc 924->929 925->924 927 70945e8 925->927 926->922 927->924 930 709460f-709461e 928->930 931 7094624 928->931 929->928 930->931 933 7094625 931->933 933->933
                                                                        APIs
                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07094516
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: CreateProcess
                                                                        • String ID:
                                                                        • API String ID: 963392458-0
                                                                        • Opcode ID: 54e3a7479cfb828c1f246cca3b43f5adf74fd34f8a0d75fe21ecc4dc75a589e2
                                                                        • Instruction ID: 98ad712d81c80f75bfd654ec36c06bde6e2989037c0799568d7ce81cb04dc760
                                                                        • Opcode Fuzzy Hash: 54e3a7479cfb828c1f246cca3b43f5adf74fd34f8a0d75fe21ecc4dc75a589e2
                                                                        • Instruction Fuzzy Hash: 61913BB1D0065ADFDF24CFA8C84179EBBF2AF48310F148269E858A7250DB749986DF91
                                                                        Function 02E8AE48 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 934 2e8ae48-2e8ae57 935 2e8ae59-2e8ae66 call 2e8a1a0 934->935 936 2e8ae83-2e8ae87 934->936 943 2e8ae68 935->943 944 2e8ae7c 935->944 937 2e8ae89-2e8ae93 936->937 938 2e8ae9b-2e8aedc 936->938 937->938 945 2e8aee9-2e8aef7 938->945 946 2e8aede-2e8aee6 938->946 989 2e8ae6e call 2e8b0e0 943->989 990 2e8ae6e call 2e8b0d1 943->990 944->936 947 2e8aef9-2e8aefe 945->947 948 2e8af1b-2e8af1d 945->948 946->945 952 2e8af09 947->952 953 2e8af00-2e8af07 call 2e8a1ac 947->953 951 2e8af20-2e8af27 948->951 949 2e8ae74-2e8ae76 949->944 950 2e8afb8-2e8b078 949->950 984 2e8b07a-2e8b07d 950->984 985 2e8b080-2e8b0ab GetModuleHandleW 950->985 955 2e8af29-2e8af31 951->955 956 2e8af34-2e8af3b 951->956 954 2e8af0b-2e8af19 952->954 953->954 954->951 955->956 958 2e8af48-2e8af51 call 2e8a1bc 956->958 959 2e8af3d-2e8af45 956->959 965 2e8af5e-2e8af63 958->965 966 2e8af53-2e8af5b 958->966 959->958 967 2e8af81-2e8af8e 965->967 968 2e8af65-2e8af6c 965->968 966->965 974 2e8af90-2e8afae 967->974 975 2e8afb1-2e8afb7 967->975 968->967 970 2e8af6e-2e8af7e call 2e8a1cc call 2e8a1dc 968->970 970->967 974->975 984->985 986 2e8b0ad-2e8b0b3 985->986 987 2e8b0b4-2e8b0c8 985->987 986->987 989->949 990->949
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02E8B09E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728719897.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2e80000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: d39103d3d94136714876070ab2e4b84dda1b4ffaefa3ef0987031b6c231f25fe
                                                                        • Instruction ID: 301bb2f0215dbab0e7cc5a10113f179dc6bd01a51fb797cb0bf27e2457ca7017
                                                                        • Opcode Fuzzy Hash: d39103d3d94136714876070ab2e4b84dda1b4ffaefa3ef0987031b6c231f25fe
                                                                        • Instruction Fuzzy Hash: 287136B1A00B058FD724EF2AD44575ABBF1BF88308F10992EE48AD7B50DB34E845CB91
                                                                        Function 02E8590D Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 991 2e8590d-2e85913 992 2e8591c-2e859d9 CreateActCtxA 991->992 994 2e859db-2e859e1 992->994 995 2e859e2-2e85a3c 992->995 994->995 1002 2e85a4b-2e85a4f 995->1002 1003 2e85a3e-2e85a41 995->1003 1004 2e85a60-2e85a90 1002->1004 1005 2e85a51-2e85a5d 1002->1005 1003->1002 1009 2e85a42-2e85a4a 1004->1009 1010 2e85a92-2e85b14 1004->1010 1005->1004 1009->1002
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 02E859C9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728719897.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2e80000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: d67137f5b34728eee30a64cf56a06e6cf04c9bdbd1623b02cc0b4d6f4577edf4
                                                                        • Instruction ID: 6729aee02d5059c19635f0bf2dd0f56f666bd6cc57a3ccce529817b7c27c33ef
                                                                        • Opcode Fuzzy Hash: d67137f5b34728eee30a64cf56a06e6cf04c9bdbd1623b02cc0b4d6f4577edf4
                                                                        • Instruction Fuzzy Hash: 5C41D1B0C00629CBDF24DFA9C985BCDBBF5BF49304F60806AD418AB255DB756946CF90
                                                                        Function 02E844B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CreateActCtxA.KERNEL32(?), ref: 02E859C9
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728719897.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2e80000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: Create
                                                                        • String ID:
                                                                        • API String ID: 2289755597-0
                                                                        • Opcode ID: 72a39d419d998935f3e92e17e0308a3b93df90ad0ba80640d3e2041a48ffa109
                                                                        • Instruction ID: 711a1507cb0e542e6bb9e7a8f1020cfa31156a06d068ae47b12d0eb84bbd03f9
                                                                        • Opcode Fuzzy Hash: 72a39d419d998935f3e92e17e0308a3b93df90ad0ba80640d3e2041a48ffa109
                                                                        • Instruction Fuzzy Hash: 0641BFB0C0062DCADB24DFA9C984B9EBBF5BF49304F60806AD448AB255DB756945CF90
                                                                        Function 07094051 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070940E8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: 060cd1e3b4723408e8372df8602d87a10370b192f54a5ecc3067201f151c1131
                                                                        • Instruction ID: cfdb6df19c876408d8a58868ba59ef6db5ce0b9ec757ffcefae476aae5883310
                                                                        • Opcode Fuzzy Hash: 060cd1e3b4723408e8372df8602d87a10370b192f54a5ecc3067201f151c1131
                                                                        • Instruction Fuzzy Hash: E62126B190034A9FCF10CFA9C881BDEBBF5FF88320F10842AE958A7241D7789555DBA1
                                                                        Function 07094058 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 070940E8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessWrite
                                                                        • String ID:
                                                                        • API String ID: 3559483778-0
                                                                        • Opcode ID: ec6d250b0d8b3474672711851d700fce93e37a1313908fab1bf5cee369c38db4
                                                                        • Instruction ID: 13cf3ea56ba75037bb775eedf755c3858da4419a6cb1749808f47e75069f727d
                                                                        • Opcode Fuzzy Hash: ec6d250b0d8b3474672711851d700fce93e37a1313908fab1bf5cee369c38db4
                                                                        • Instruction Fuzzy Hash: 992146B19003499FCF10CFA9C881BDEBBF5FF88320F10842AE918A7240C7789940DBA1
                                                                        Function 07093A80 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07093B06
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: 38e8c2605c9c2b0872d31d427d1e2e76d969feeb0b236fd7b98acf947324ef16
                                                                        • Instruction ID: 2d401f242ff451606bfc70bbb9bfb9b58069bc02ba84dfa39ac6f7647a2000b6
                                                                        • Opcode Fuzzy Hash: 38e8c2605c9c2b0872d31d427d1e2e76d969feeb0b236fd7b98acf947324ef16
                                                                        • Instruction Fuzzy Hash: 9A2145B19002098FDB10CFAAC4857EEBFF4EF88320F14842AD519A7241C7789944DFA1
                                                                        Function 07094140 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070941C8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: 745704f3603caf3f7dda08e2611cf44c35134fe471f4f67956f6e33aaab53fbf
                                                                        • Instruction ID: 479b3278d9619b63c9abbf045d16bd3fc554903928abaea3eff5db9a7adc18e6
                                                                        • Opcode Fuzzy Hash: 745704f3603caf3f7dda08e2611cf44c35134fe471f4f67956f6e33aaab53fbf
                                                                        • Instruction Fuzzy Hash: C82105B1D002599FCB10DFAAC881AEEBBF5FF48320F20842AE518A7250C7789515DBA1
                                                                        Function 02E8B830 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E8D6E6,?,?,?,?,?), ref: 02E8D7A7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728719897.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2e80000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 2618a93b8ee6817342d4b2d59401a16db424383f254fb0139497394e3d293101
                                                                        • Instruction ID: 912e9f3b70941d2153e51405b4bc6ca631ed9eb281d860fb44cc30da643c8c08
                                                                        • Opcode Fuzzy Hash: 2618a93b8ee6817342d4b2d59401a16db424383f254fb0139497394e3d293101
                                                                        • Instruction Fuzzy Hash: C12105B59002089FDB10CFAAD984ADEBFF4EB48310F14805AE918A3350C375A950CFA0
                                                                        Function 07093A88 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07093B06
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: ContextThreadWow64
                                                                        • String ID:
                                                                        • API String ID: 983334009-0
                                                                        • Opcode ID: c8caa9bc04f309e8667d5650ba66573c9a77b2758e4d86d1f62798394e93ba9b
                                                                        • Instruction ID: 74e82893d33eba739c72c189bc3ce008a339d5cc979c9eddae387a21102d487c
                                                                        • Opcode Fuzzy Hash: c8caa9bc04f309e8667d5650ba66573c9a77b2758e4d86d1f62798394e93ba9b
                                                                        • Instruction Fuzzy Hash: 172118B1D103099FDB10DFAAC485BAEFBF4EF98324F14842AD519A7241C7789944DFA1
                                                                        Function 07094148 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070941C8
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: MemoryProcessRead
                                                                        • String ID:
                                                                        • API String ID: 1726664587-0
                                                                        • Opcode ID: ca8f24ad3bf96424ab0a2f113ce0544f867c883931f836b7b449e71a59cbec15
                                                                        • Instruction ID: ca081786b3b6b73fbc8fea2198f31788aa124198cb980cc6cae9a6c285c51090
                                                                        • Opcode Fuzzy Hash: ca8f24ad3bf96424ab0a2f113ce0544f867c883931f836b7b449e71a59cbec15
                                                                        • Instruction Fuzzy Hash: 552128B1D003599FCB10CFAAC881AEEFBF5FF48320F10842AE518A7250C7789501DBA1
                                                                        Function 02E8D719 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E8D6E6,?,?,?,?,?), ref: 02E8D7A7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728719897.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2e80000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 18f5acbc599666a618753eec4ddfd7f09f4c1feeba93d9d24dd276fb899995a8
                                                                        • Instruction ID: bf0608753817e3934ea851b48a215bb80e6a7908ce0cc2da623256395f580164
                                                                        • Opcode Fuzzy Hash: 18f5acbc599666a618753eec4ddfd7f09f4c1feeba93d9d24dd276fb899995a8
                                                                        • Instruction Fuzzy Hash: 1D21E4B5D10209DFDB10CFA9D985ADEBBF5EB48314F24841AE918B3350D374A950CF61
                                                                        Function 07093F93 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07094006
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 484b7a103a337f3a788367870cfdfc7590aedaf0f8af2a85d16f3b1fadc5cc5d
                                                                        • Instruction ID: 550b0402cbc89f13216d41249a300c5dff74f1f2196aeb178314afc10f729789
                                                                        • Opcode Fuzzy Hash: 484b7a103a337f3a788367870cfdfc7590aedaf0f8af2a85d16f3b1fadc5cc5d
                                                                        • Instruction Fuzzy Hash: 561147B19002499FCF20DFAAC845BDEBFF5EF88320F24881AE559A7250C7759544DBA1
                                                                        Function 07607CC0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07607D33
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: 0f2bed8d2dca462d0e4c196a8499268bb0bbeef2e6c4f7b29a2863b4cfcddf62
                                                                        • Instruction ID: 41e8b448385dcf26ff2af988be902b182d84574e9c509e419abe1b1febbced96
                                                                        • Opcode Fuzzy Hash: 0f2bed8d2dca462d0e4c196a8499268bb0bbeef2e6c4f7b29a2863b4cfcddf62
                                                                        • Instruction Fuzzy Hash: 2321D6B59002499FCB10CF9AD585BDEFBF4EB48320F108429E559A7250D378A544DFA1
                                                                        Function 07607CB8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07607D33
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: ProtectVirtual
                                                                        • String ID:
                                                                        • API String ID: 544645111-0
                                                                        • Opcode ID: f22fe04bb2f0a0455f3c9a5ad5ec88c7cc882fbe5df64aae1493f7dace06af6b
                                                                        • Instruction ID: a6b0f39ca99deed27d9aecf292a7194282ac77617f3d43a23053c9bf5d38fa5a
                                                                        • Opcode Fuzzy Hash: f22fe04bb2f0a0455f3c9a5ad5ec88c7cc882fbe5df64aae1493f7dace06af6b
                                                                        • Instruction Fuzzy Hash: 0321F4B59002499FCB10CF9AC585ADEBBF4FB48320F10842AE558A7650D378A544DFA1
                                                                        Function 07093F98 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07094006
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: AllocVirtual
                                                                        • String ID:
                                                                        • API String ID: 4275171209-0
                                                                        • Opcode ID: 6d8a1b052788236191e53549ac4d5cb4a96d828d58b244cb6f9357e27545e805
                                                                        • Instruction ID: 870c13dfad44413d81c9c355e3a23f2ecdce8d4e51ec614961894d2d8a411673
                                                                        • Opcode Fuzzy Hash: 6d8a1b052788236191e53549ac4d5cb4a96d828d58b244cb6f9357e27545e805
                                                                        • Instruction Fuzzy Hash: 8B1126B29002499FCB20DFAAC845ADFBFF5EF88320F248419E519A7250C775A540DBA1
                                                                        Function 070939D0 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: fae12ed02021f95681bb95e85ba20e8fb9bb5eae6ef18fa3bfe4be0ea056c218
                                                                        • Instruction ID: efe146f8555c2cef2477abf6ae72b0557dbc2cd505837d76d0861f0d52d08361
                                                                        • Opcode Fuzzy Hash: fae12ed02021f95681bb95e85ba20e8fb9bb5eae6ef18fa3bfe4be0ea056c218
                                                                        • Instruction Fuzzy Hash: C71146B1D002498EDB20CFAAC4457AEFFF5AF88324F24842AD419A7250C779A541CF95
                                                                        Function 070939D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: ResumeThread
                                                                        • String ID:
                                                                        • API String ID: 947044025-0
                                                                        • Opcode ID: 7b88815154e2d793074e6065c9759f35d77dd26cf1d9452a8ff213b2b4b80873
                                                                        • Instruction ID: 4bb570e0bbd24b7b3ea19abad68182f9ede7921c2ab10380cba20739a7ebab2e
                                                                        • Opcode Fuzzy Hash: 7b88815154e2d793074e6065c9759f35d77dd26cf1d9452a8ff213b2b4b80873
                                                                        • Instruction Fuzzy Hash: 8A1128B1D002498BDB20DFAAC44579EFBF5EB88324F248419D519A7340C779A540CF95
                                                                        Function 07096A08 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07096A6D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: 5f4b8265b3bae5530183e27df39c991f633fdd7a17dd1e05e13248637c32a8f0
                                                                        • Instruction ID: b7ab85b4efabb751f2c494e664d51a7379643dc80ba7cb919e80fe02533a02f2
                                                                        • Opcode Fuzzy Hash: 5f4b8265b3bae5530183e27df39c991f633fdd7a17dd1e05e13248637c32a8f0
                                                                        • Instruction Fuzzy Hash: C511F5B58002499FDB10CF9AD485BDEFFF9EB48320F24851AE558A3300D375A554CFA1
                                                                        Function 0709638C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07096A6D
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: MessagePost
                                                                        • String ID:
                                                                        • API String ID: 410705778-0
                                                                        • Opcode ID: 7eab42ea8c122f83e1640cb618ce73afb49c896341b3b16368de2d298b8fac18
                                                                        • Instruction ID: 56968725532775985cf89c405c5d4ed84e616b0fc961b83203568d83205ebbda
                                                                        • Opcode Fuzzy Hash: 7eab42ea8c122f83e1640cb618ce73afb49c896341b3b16368de2d298b8fac18
                                                                        • Instruction Fuzzy Hash: 7A11F2B58003499FCB20DF9AD885BDEFBF8EB48320F20841AE559A7210C375A944CFA5
                                                                        Function 02E8B038 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02E8B09E
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728719897.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2e80000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: 2ef6579244e1a6183dd92aba47260dbaa2d79c725890dd015d5cfe6232e7d610
                                                                        • Instruction ID: 9c8d6f056886ea243402cbbd1bead4520afbc690b9e2f754b5d0a68d36023cf1
                                                                        • Opcode Fuzzy Hash: 2ef6579244e1a6183dd92aba47260dbaa2d79c725890dd015d5cfe6232e7d610
                                                                        • Instruction Fuzzy Hash: F71102B5C00249CFCB20DF9AC444B9EFBF4EB88328F20841AD468A7210D375A545CFA1
                                                                        Function 0178D3D8 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728430040.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_178d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c17b6edf78639a1b807605e449ad4937a8613cef0782bdc8143572a7ba5000e9
                                                                        • Instruction ID: 38c63210566d4221856b1b3f8b31cae057c5665ae1abdc5aa1299fb68f352050
                                                                        • Opcode Fuzzy Hash: c17b6edf78639a1b807605e449ad4937a8613cef0782bdc8143572a7ba5000e9
                                                                        • Instruction Fuzzy Hash: AF2136B1144204DFDB25EF88D9C0B66FF65FB84324F20C5A9ED0D0B296C336E446CAA1
                                                                        Function 0179D01C Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728479522.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_179d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a366d43a6a546e63374ca736c3c6b243e66a174390b411fce1e8e8cb7a87e735
                                                                        • Instruction ID: bbfc24a836bda2e7d83581ee06b15f140cb29f6c3bbe53e65aa7e959601a6254
                                                                        • Opcode Fuzzy Hash: a366d43a6a546e63374ca736c3c6b243e66a174390b411fce1e8e8cb7a87e735
                                                                        • Instruction Fuzzy Hash: 8821F1B16042009FDF25DF58E5C4B26FB65EB84354F20C5A9D90A4B246C33AD40ACA61
                                                                        Function 0179D1D4 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728479522.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_179d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 30753ae43e510bd577fe31e0d8093ae5c063847c299f1bc5326c132ba4dbd113
                                                                        • Instruction ID: b2532d8c7f15b74ebe18f753e39aaf480cfa4fc058301f50d9c9f44a81f94e4f
                                                                        • Opcode Fuzzy Hash: 30753ae43e510bd577fe31e0d8093ae5c063847c299f1bc5326c132ba4dbd113
                                                                        • Instruction Fuzzy Hash: F72107B5508200EFDF25DF98E5C0B26FB65FB84324F24C5EDE9094B296C336D44ACA61
                                                                        Function 0178D3D3 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728430040.000000000178D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0178D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_178d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                        • Instruction ID: 830490a247138e785936096ac201d3437dcaede8aff248414604f4bf5f2cf8f2
                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                        • Instruction Fuzzy Hash: 3111CD72444240DFDB12DF48D5C0B56BF62FB84224F2482A9DD090A656C33AE45ACBA1
                                                                        Function 0179D1CF Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728479522.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_179d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                        • Instruction ID: 9a793a63370a7c752f8809d828966456bae832fb9bb1d7cba6383039b07f845a
                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                        • Instruction Fuzzy Hash: 84118B75508280DFDB26CF54D6C4B15FBA2FB84224F24C6AAD8494B696C33AD44ACB61
                                                                        Function 0179D017 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728479522.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_179d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                        • Instruction ID: 550da73442f850668d3cf04bb5dcbaeba9bbb381fb9665b56aae4f1707a223e8
                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                        • Instruction Fuzzy Hash: C311DD75504280CFDB22CF58E5C4B15FFA2FB88314F24C6AAD8094B656C33AD44ACBA2

                                                                        Non-executed Functions

                                                                        Function 0760A570 Relevance: 1.6, Strings: 1, Instructions: 325COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: {#L
                                                                        • API String ID: 0-1361971085
                                                                        • Opcode ID: fc535cb04bc171b75902fda7436bdf63ce7b3e6f56e729ca151f24f2e534e46f
                                                                        • Instruction ID: adb0b3bff31a70af6cc5e294a6264e91b47f32498d4f75d3e71dc4332a3c8ec3
                                                                        • Opcode Fuzzy Hash: fc535cb04bc171b75902fda7436bdf63ce7b3e6f56e729ca151f24f2e534e46f
                                                                        • Instruction Fuzzy Hash: 9AD114B1E15219DBCB18CFEAC98049EFBF2BF89340F14D52AD41AAB264D7309942CF50
                                                                        Function 0760A560 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: {#L
                                                                        • API String ID: 0-1361971085
                                                                        • Opcode ID: e732b07847f152b728529677cc3275f941ef2e12354655555a3852456845cc75
                                                                        • Instruction ID: a14f5c5714a8fe11ad69c369485848445507abfd6178c0b5609e8132450a5f4f
                                                                        • Opcode Fuzzy Hash: e732b07847f152b728529677cc3275f941ef2e12354655555a3852456845cc75
                                                                        • Instruction Fuzzy Hash: 6DD124B1E15619DBCB18CFEAC98059EFBF2BF89340F14D52AD41AAB264D7309942CF50
                                                                        Function 07603AD8 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: l|
                                                                        • API String ID: 0-1955549514
                                                                        • Opcode ID: 77318177ca683fa729c59c2002fc47abe634949ed089769e41ac16248eae5d9b
                                                                        • Instruction ID: 1f3b7c7021b7b11c3dffb5c4e994fec6c7f25a5f1bef2ca94aed8c8241993f63
                                                                        • Opcode Fuzzy Hash: 77318177ca683fa729c59c2002fc47abe634949ed089769e41ac16248eae5d9b
                                                                        • Instruction Fuzzy Hash: 69617DB0E1420ADBDB08CF9AC5815AFFBB2FB85201F14D56DC416A7380E774AA41CF95
                                                                        Function 076018D9 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 98R
                                                                        • API String ID: 0-576591972
                                                                        • Opcode ID: 6f49ef6c3a365fa6f98e992b1d5f449765cd5d2dc5fc3aa68a322188546a946d
                                                                        • Instruction ID: 7847e9c87a1c42fe8d6bcd1c700531d19150f9f73ec030ac0ddcc0c5cea9c038
                                                                        • Opcode Fuzzy Hash: 6f49ef6c3a365fa6f98e992b1d5f449765cd5d2dc5fc3aa68a322188546a946d
                                                                        • Instruction Fuzzy Hash: 3F7127B5E1520EDFCB08CF99D5819AEFBB2FB8A310F148529D415AB354D3349A82CF94
                                                                        Function 07608688 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: iUfo
                                                                        • API String ID: 0-3820436262
                                                                        • Opcode ID: e197ed98e75973fc4180904ebae93fece1987a92d9f6eec5cc5e87999d6ef816
                                                                        • Instruction ID: b7862cfb1a0eba5f3bc0f5035236059345aefd233e6b93365e8ee7a8b2cf2b92
                                                                        • Opcode Fuzzy Hash: e197ed98e75973fc4180904ebae93fece1987a92d9f6eec5cc5e87999d6ef816
                                                                        • Instruction Fuzzy Hash: 0F5104B4E1121A9FDF08CFA9D5456EEFBF2BF89300F10942AE406B7354EB3459428B94
                                                                        Function 07608698 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: iUfo
                                                                        • API String ID: 0-3820436262
                                                                        • Opcode ID: 72a7540d065493ccdc86165a5aa0a064ea6a71f971b19cf74ac222cfb79f67d7
                                                                        • Instruction ID: 1490cdab5b123c97fb32ebe031d64c82dcb8db1edb6686b9fc98a807cf5c2963
                                                                        • Opcode Fuzzy Hash: 72a7540d065493ccdc86165a5aa0a064ea6a71f971b19cf74ac222cfb79f67d7
                                                                        • Instruction Fuzzy Hash: B851D1B4E1161A9FDF08CFA9D9455EEFBF2BF89300F10942AE406B7254EB3459428F94
                                                                        Function 07601440 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: -2m
                                                                        • API String ID: 0-2686427999
                                                                        • Opcode ID: 4a771e30c09921ed82c9e76dfb751e0fb2e155f50e5edc61976a8ee913beeb0f
                                                                        • Instruction ID: 7a0797a5537815ff226dd2c87e1799e703e58a0c3340783fe7b956a8fcbb016c
                                                                        • Opcode Fuzzy Hash: 4a771e30c09921ed82c9e76dfb751e0fb2e155f50e5edc61976a8ee913beeb0f
                                                                        • Instruction Fuzzy Hash: 40512BB5D152198FDB09CFAAC5406AFFBF2FF89301F24D02AD41AA7294D73499418BA4
                                                                        Function 07608A90 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: w7e^
                                                                        • API String ID: 0-1657886525
                                                                        • Opcode ID: 904e2e9424f8a54155a3a6f5ee723e566d199898666db55ff6a6fa6763f053bf
                                                                        • Instruction ID: 545622b2010a87cae791c31b8795cb0fec077330380dcba629547dae13228dc2
                                                                        • Opcode Fuzzy Hash: 904e2e9424f8a54155a3a6f5ee723e566d199898666db55ff6a6fa6763f053bf
                                                                        • Instruction Fuzzy Hash: B74137B4D1561ADFCF08CFA6C5405EFFBB1BB8A200F14942AC416B7284E7784642CF98
                                                                        Function 07608A80 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: w7e^
                                                                        • API String ID: 0-1657886525
                                                                        • Opcode ID: dcd7b79faf97f361cd3a8196aa04ba413d76c0348d679be13147264fee2d7fe7
                                                                        • Instruction ID: fba8cd9a8c07873fb8fbcfed18dd4e3d6ef09e16bcf0dc866e16eb1264d9c42a
                                                                        • Opcode Fuzzy Hash: dcd7b79faf97f361cd3a8196aa04ba413d76c0348d679be13147264fee2d7fe7
                                                                        • Instruction Fuzzy Hash: CF4137B5D1560ACFCB08CFA6C5416EFFBB1FB89301F14982AC416B7694E73846428F98
                                                                        Function 07605588 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0ni
                                                                        • API String ID: 0-1488673370
                                                                        • Opcode ID: 944bb85b1c6f9da86d4e7452eaacfd81b2b46049fe1c704b0e8690c769e01ae0
                                                                        • Instruction ID: 91d271617a76ceaab4b9b9430e5ca3e9f783ed987e6fe05cc0ca1f3d27ce3fef
                                                                        • Opcode Fuzzy Hash: 944bb85b1c6f9da86d4e7452eaacfd81b2b46049fe1c704b0e8690c769e01ae0
                                                                        • Instruction Fuzzy Hash: 08514AB1E116188BDB58CF6B894579EFBF3AFC8200F14C1BA950DA6264EB341A858F51
                                                                        Function 07605578 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0ni
                                                                        • API String ID: 0-1488673370
                                                                        • Opcode ID: f6cc50933a4358a588ce7e8f05c4f992ae0d154520b38eec3105914b72f28019
                                                                        • Instruction ID: 879b58278ebbd44199267bde1d5a98465cc6598f653adeb4e59ee0fe638ddfe8
                                                                        • Opcode Fuzzy Hash: f6cc50933a4358a588ce7e8f05c4f992ae0d154520b38eec3105914b72f28019
                                                                        • Instruction Fuzzy Hash: 05514BB1E016188BDB58DF6B8D4579EFBF3BFC8200F14C1BA940DA6265EB340A858F51
                                                                        Function 07091560 Relevance: .3, Instructions: 319COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 013248fcef0f2da5171fb25f5548eb1d620c9f9431b4d0c67447927ff159bdb6
                                                                        • Instruction ID: 4db798f99c80ac774c0cea96efdff7bded7254b7e0c0a7ee7ba8db78603421f9
                                                                        • Opcode Fuzzy Hash: 013248fcef0f2da5171fb25f5548eb1d620c9f9431b4d0c67447927ff159bdb6
                                                                        • Instruction Fuzzy Hash: 18E1FBB4E0411A8FCB14DF99C5909AEFBF2FF49304F248269D815AB355D730A982DFA1
                                                                        Function 07091128 Relevance: .3, Instructions: 314COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: de670080abe08047f2ce9d1449228ad5e526bb77c9bd5860cdbeaa1194e9f91a
                                                                        • Instruction ID: d0a56ec0bf816a9aab72cf32bf133728faf50fe72887b9805439acf20a222760
                                                                        • Opcode Fuzzy Hash: de670080abe08047f2ce9d1449228ad5e526bb77c9bd5860cdbeaa1194e9f91a
                                                                        • Instruction Fuzzy Hash: E5E11CB4E0411A8FCB14DFA9C5909AEFBF2FF49304F248269D815AB355D770A981DFA0
                                                                        Function 07093B60 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a15d896653b42157963b4a31e1c63013348eee462ebcf7bbfa8f50cf63426e57
                                                                        • Instruction ID: 92adb98acfd584d0c589f290b7d76ee104f27506094136d9770b02e7468d3db0
                                                                        • Opcode Fuzzy Hash: a15d896653b42157963b4a31e1c63013348eee462ebcf7bbfa8f50cf63426e57
                                                                        • Instruction Fuzzy Hash: 76E1FBB4E011198FCB14DF99C5909AEFBF2FF89304F248269D815AB355D731A982CFA0
                                                                        Function 070919A8 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e5753550d45b007c29863d21cc5818d67ab14daf640284afe76ebb0a97264e43
                                                                        • Instruction ID: a473c6f10be76d85ae58a429dc94ccd519c69a685bba5c2e844047f6a0ee47fd
                                                                        • Opcode Fuzzy Hash: e5753550d45b007c29863d21cc5818d67ab14daf640284afe76ebb0a97264e43
                                                                        • Instruction Fuzzy Hash: AFE1FCB4E0511A8FCB14DFA9C5909AEFBF2FF49304F248269D814A7355D770A982CFA0
                                                                        Function 070931B0 Relevance: .3, Instructions: 312COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b08cc6a476f8723ce8d2dce69c1ec2eab00de3a9a377e31b21683cbd46222337
                                                                        • Instruction ID: 4763c27f0ea9148a583155c5f84a400f56699a92590b878e830f6c51c834534c
                                                                        • Opcode Fuzzy Hash: b08cc6a476f8723ce8d2dce69c1ec2eab00de3a9a377e31b21683cbd46222337
                                                                        • Instruction Fuzzy Hash: 4DE1EBB4E041198FCB14DF99C5909AEFBF2FF49314F248269D814AB355D770A982DFA0
                                                                        Function 02E8D404 Relevance: .3, Instructions: 264COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1728719897.0000000002E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E80000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_2e80000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6d6910531c6fb7d6144f3ad13525b9804ec581f551a4a845ddbe75a518794caa
                                                                        • Instruction ID: 434b5719120b26e379ce7e28975293aa3aae32636c19679f53d91104c326ab2e
                                                                        • Opcode Fuzzy Hash: 6d6910531c6fb7d6144f3ad13525b9804ec581f551a4a845ddbe75a518794caa
                                                                        • Instruction Fuzzy Hash: D5A18232E40209CFCF05EFB4C8845AEB7B2FF85304B65956AE809AB661DB31E955CF50
                                                                        Function 07609FC8 Relevance: .3, Instructions: 254COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3733da2ec9593f0394d753fa9f3127a25a149f67ab9b2001126894ab4a4220a4
                                                                        • Instruction ID: d528bb5bc3421b08ecfde9409e305e7a83a54e58dfcd40b7af32e67643e1617e
                                                                        • Opcode Fuzzy Hash: 3733da2ec9593f0394d753fa9f3127a25a149f67ab9b2001126894ab4a4220a4
                                                                        • Instruction Fuzzy Hash: 68B1F7B1D15209DFDB18CFE6D98059EFBB2BF89340F20D42AD01AA7254DB34AA06CF50
                                                                        Function 07609FBA Relevance: .3, Instructions: 252COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 73ae0e2c48a36d5f89e2c0e92d9e9bcb2880245ee33c0deb85f4e29d5705a4d9
                                                                        • Instruction ID: 3f87a74f7731cc832d5fc02a3f30c8aaf5626a4c16cf406443986a5c2362589b
                                                                        • Opcode Fuzzy Hash: 73ae0e2c48a36d5f89e2c0e92d9e9bcb2880245ee33c0deb85f4e29d5705a4d9
                                                                        • Instruction Fuzzy Hash: 45B1F6B1D152099FDB18CFE6D98059EFBB2BF89340F20D42AD41AA7254DB34AA42CF50
                                                                        Function 07603CF8 Relevance: .2, Instructions: 202COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ef3399ebb8fa29c68558e9ff3536c081120de3889b87b6fada80e8eab99bd313
                                                                        • Instruction ID: c41000bdd139856cc71bd4adcdec6db2a943dd6804d6b696e24be144c5d9ea29
                                                                        • Opcode Fuzzy Hash: ef3399ebb8fa29c68558e9ff3536c081120de3889b87b6fada80e8eab99bd313
                                                                        • Instruction Fuzzy Hash: 9A91D8B4A15219DFCB08CF9AC58499EFBF1FF89311F249569D416AB360D330AA42CF91
                                                                        Function 07603D08 Relevance: .2, Instructions: 196COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 662a4372b05e5e2c861f59005b122a6d2becbfbe353f6898398ee92ad6efeff7
                                                                        • Instruction ID: fad22dc025315c34f04bc248e42c5a737643e272ee4cc632e0948c482d8f9259
                                                                        • Opcode Fuzzy Hash: 662a4372b05e5e2c861f59005b122a6d2becbfbe353f6898398ee92ad6efeff7
                                                                        • Instruction Fuzzy Hash: 5A91C4B4A1521ACFCB08CF9AC58499EFBF1FF89311F249559D416AB364D330AA42CF91
                                                                        Function 07608E40 Relevance: .2, Instructions: 188COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 44c1455e0b8ad77664b3132a988e2d28052142170a0a90a9fe601f61be9c525f
                                                                        • Instruction ID: ab198326b2a98cb518c39416e28ee2aacc2501612cc618e930bd13fc3add2f2f
                                                                        • Opcode Fuzzy Hash: 44c1455e0b8ad77664b3132a988e2d28052142170a0a90a9fe601f61be9c525f
                                                                        • Instruction Fuzzy Hash: 83812FB4E142198FCB14DFA9C5905AEFBB6FF89300F24C199D819A7356D730A981CFA1
                                                                        Function 07605118 Relevance: .2, Instructions: 173COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ce754e0449e6968b84d3568607f720516d7a435812b5c7cb6002e32bd3807710
                                                                        • Instruction ID: 3c9ef65d3ca84b0dbc469c0ff1b63d11f217d7653914f4a2a08193db33c28ac1
                                                                        • Opcode Fuzzy Hash: ce754e0449e6968b84d3568607f720516d7a435812b5c7cb6002e32bd3807710
                                                                        • Instruction Fuzzy Hash: E071F8B4E15609CFCB08CFA9C9809DEFBF2FF89210F24946AD416B7265E33499528F54
                                                                        Function 07605108 Relevance: .2, Instructions: 170COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5b23a473bafc0da78bf8984c29d70a100c787d684718c4bc2f33176d467986a8
                                                                        • Instruction ID: aceb19845aebb5eeae1fd3d5932fe9ca08610776adc102867ee9c8dec51ef28e
                                                                        • Opcode Fuzzy Hash: 5b23a473bafc0da78bf8984c29d70a100c787d684718c4bc2f33176d467986a8
                                                                        • Instruction Fuzzy Hash: A6711AB4E15609CFCB08CFA9C9809DEFBF2FF89210F24946AD416B7265D3349A528F54
                                                                        Function 07604F00 Relevance: .1, Instructions: 145COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: edae5f7d5b1624efa7faa10a6af07b56ac42d831dcf4e6f9fd0015ca5e1d1135
                                                                        • Instruction ID: 7e41b074c5ec127b16978ff08b7d31fdc772a9cc00135266a7438ce679f3a74d
                                                                        • Opcode Fuzzy Hash: edae5f7d5b1624efa7faa10a6af07b56ac42d831dcf4e6f9fd0015ca5e1d1135
                                                                        • Instruction Fuzzy Hash: 93513CB1E0420ADFCB18CFAAD4416AFFBF2FF89200F14C56AD516A7240D7349A428F94
                                                                        Function 07093B50 Relevance: .1, Instructions: 133COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c61af4fb7eebc4ccb7c012940fdd938d5f145bbc9613d3522ef981c7dabaf27e
                                                                        • Instruction ID: 2a954d3535c8f603b0c4cdf893f7f23ea86965a103e69b16d55fc8232087c1a3
                                                                        • Opcode Fuzzy Hash: c61af4fb7eebc4ccb7c012940fdd938d5f145bbc9613d3522ef981c7dabaf27e
                                                                        • Instruction Fuzzy Hash: 1C512CB4E052198FCB14CFA9C5905AEFBF2FF89314F24816AD418AB355D7319942CF61
                                                                        Function 070931A0 Relevance: .1, Instructions: 132COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1731604429.0000000007090000.00000040.00000800.00020000.00000000.sdmp, Offset: 07090000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7090000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: cfc6cf755ebe046ee7f03e0e6e75c112e8ed711fc27477c68384a1b56d04e640
                                                                        • Instruction ID: 365a915b271f5e2138565c78d1bca4521d99973d5941cd755fde81a7e55a2ab7
                                                                        • Opcode Fuzzy Hash: cfc6cf755ebe046ee7f03e0e6e75c112e8ed711fc27477c68384a1b56d04e640
                                                                        • Instruction Fuzzy Hash: 5D511CB0E052198FDB14DFA9C5405AEFBF2BF89314F24C16AD818AB355D7309942CF61
                                                                        Function 07608348 Relevance: .1, Instructions: 110COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 78f0979a1b8a45b742777c187e942a77fc04c868d4cc4a698a94b3b658e5502b
                                                                        • Instruction ID: e7f20422a8a83ecc36ec5a719f26a37c00a84166d155fb30dd5252de9fc06db4
                                                                        • Opcode Fuzzy Hash: 78f0979a1b8a45b742777c187e942a77fc04c868d4cc4a698a94b3b658e5502b
                                                                        • Instruction Fuzzy Hash: 0D414BB0E0561ADFCB08CFE5C5426AFFBF2EB89200F20D46AC105B7254D7749B458B95
                                                                        Function 076053A8 Relevance: .1, Instructions: 108COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa123a20d4d6aedf5415115e38b06068f22543e082419dd92b1f579daa8eb0cd
                                                                        • Instruction ID: 3d716841d7cc5cb3fcdbd1299bd09559a2064b923b221ad0de9e2afb2b2a285e
                                                                        • Opcode Fuzzy Hash: fa123a20d4d6aedf5415115e38b06068f22543e082419dd92b1f579daa8eb0cd
                                                                        • Instruction Fuzzy Hash: 684109B0E0520ADBCB48CFA9C5819EEFBF2EF88300F20D569C406B7255E7349A518F94
                                                                        Function 07608358 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2b6ad9c0b5e2485c8e01ccd7a6e3b5916e4f779c8d4bc9dac6d05d2749fac6e3
                                                                        • Instruction ID: 9ac7b465b7a8f81e89244603f8520be7ca716fc54561b729fefdb2c7b6d07c06
                                                                        • Opcode Fuzzy Hash: 2b6ad9c0b5e2485c8e01ccd7a6e3b5916e4f779c8d4bc9dac6d05d2749fac6e3
                                                                        • Instruction Fuzzy Hash: 62414BB0E1521ADFCB48CFE6C5416AFFBF1EB89300F20946AC105B7264E77497418B94
                                                                        Function 07605398 Relevance: .1, Instructions: 106COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 90d9d87bedd17b8ab72552f6f70de98cd01f3bad186c97e14364efaf05b73696
                                                                        • Instruction ID: ebc7acbf46bf0dd651fc4b1b17f3c87ee34dd8730ad6d0dac35813ef9b025ac8
                                                                        • Opcode Fuzzy Hash: 90d9d87bedd17b8ab72552f6f70de98cd01f3bad186c97e14364efaf05b73696
                                                                        • Instruction Fuzzy Hash: 7D4118B0E1520ADBCB08CFA9C5819EEFBF2EF89300F24D569C406A7255E7749A518F94
                                                                        Function 07604F10 Relevance: .1, Instructions: 101COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 263ebca95015d64591fff186838748301ce9a3cd5fb80f12c38f9e54e5d9eedc
                                                                        • Instruction ID: 06c814f5c3149c6d859d4912c0dd474a3f11c540ee8b9ec55e7b0523605cb2ed
                                                                        • Opcode Fuzzy Hash: 263ebca95015d64591fff186838748301ce9a3cd5fb80f12c38f9e54e5d9eedc
                                                                        • Instruction Fuzzy Hash: 2441EAB0E0560ADFCB48CFAAC5815AEFBF2BF89300F14D46AD516B7254D7349A428F94
                                                                        Function 07600022 Relevance: .1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ec424a4ca6ff370af9e9d12c0c19bdc076dd1ade8808b136622b86102260a6fd
                                                                        • Instruction ID: cead9ce16e0ab5d41f906d6e7d9a7bcbe6d06dd20a93b48088ee7ed649932809
                                                                        • Opcode Fuzzy Hash: ec424a4ca6ff370af9e9d12c0c19bdc076dd1ade8808b136622b86102260a6fd
                                                                        • Instruction Fuzzy Hash: 7521EAB1E016188BEB18CF6BD80179EFAF7AFC9200F18C17AC819A6255EA3415568F51
                                                                        Function 07600040 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.1732541298.0000000007600000.00000040.00000800.00020000.00000000.sdmp, Offset: 07600000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_7600000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: bc0bea66232c82edaf792c90fd3cacf6f5ce4a337d6e5e8cb4affbd3ca4f1cc8
                                                                        • Instruction ID: 8a6c3995d57ac1e3c63263945a4fb3514564dbcd367b5ef311140189a6e641c6
                                                                        • Opcode Fuzzy Hash: bc0bea66232c82edaf792c90fd3cacf6f5ce4a337d6e5e8cb4affbd3ca4f1cc8
                                                                        • Instruction Fuzzy Hash: 6911DAB1E006189BEB1CCFABD80069EFAF7AFC8200F04C07AC919B6254EB7406568F51

                                                                        Execution Graph

                                                                        Execution Coverage:6.7%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:0%
                                                                        Total number of Nodes:14
                                                                        Total number of Limit Nodes:2
                                                                        execution_graph 15206 12aafb8 DuplicateHandle 15207 12ab04e 15206->15207 15208 12a5c60 15209 12a5ca4 SetWindowsHookExW 15208->15209 15211 12a5cea 15209->15211 15212 12aad70 15213 12aadb6 GetCurrentProcess 15212->15213 15215 12aae08 GetCurrentThread 15213->15215 15216 12aae01 15213->15216 15217 12aae3e 15215->15217 15218 12aae45 GetCurrentProcess 15215->15218 15216->15215 15217->15218 15219 12aae7b 15218->15219 15220 12aaea3 GetCurrentThreadId 15219->15220 15221 12aaed4 15220->15221

                                                                        Executed Functions

                                                                        Function 012AAB2F Relevance: 6.3, APIs: 4, Instructions: 276COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 252 12aab2f-12aab3a 253 12aab9e 252->253 254 12aab3c-12aab4b 252->254 255 12aab89 253->255 256 12aaba0-12aabcc 253->256 254->255 257 12aab8b-12aab92 255->257 258 12aabed-12aac02 255->258 256->258 257->253 261 12aac05-12aac1d 258->261 261->261 262 12aac1f-12aac4f 261->262 263 12aac51-12aac5b 262->263 264 12aac61-12aac6e 263->264 265 12aac71-12aac7f 264->265 266 12aac81-12aac97 265->266 266->263 267 12aac99-12aaca7 266->267 267->264 268 12aaca9-12aacb7 267->268 268->265 269 12aacb9-12aacc7 268->269 269->266 270 12aacc9-12aaccc 269->270 271 12aacd1-12aace4 270->271 272 12aad42 271->272 273 12aace6-12aace9 271->273 275 12aad2d-12aad33 272->275 276 12aad44-12aad54 272->276 273->271 274 12aaceb-12aad03 273->274 274->275 275->272 277 12aadb2-12aadff GetCurrentProcess 276->277 278 12aad56-12aadac 276->278 283 12aae08-12aae3c GetCurrentThread 277->283 284 12aae01-12aae07 277->284 278->277 285 12aae3e-12aae44 283->285 286 12aae45-12aae79 GetCurrentProcess 283->286 284->283 285->286 288 12aae7b-12aae81 286->288 289 12aae82-12aae9d call 12aaf41 286->289 288->289 291 12aaea3-12aaed2 GetCurrentThreadId 289->291 293 12aaedb-12aaf3d 291->293 294 12aaed4-12aaeda 291->294 294->293
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4185206339.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_12a0000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ee4c5fa9ec91953f48696cfed79671ec14cf5fe0d6df1b5edd1fff14ed3d41bc
                                                                        • Instruction ID: 32d439d19e8ca992b8b2a2c3a7cf54d41b2f45807a369d70f61ffd83ae80c1de
                                                                        • Opcode Fuzzy Hash: ee4c5fa9ec91953f48696cfed79671ec14cf5fe0d6df1b5edd1fff14ed3d41bc
                                                                        • Instruction Fuzzy Hash: 58B1BDB28143848FDB11DF69D8897ADBFF1EF48714F68889ED2489B212D7359844CFA1
                                                                        Function 012AAD60 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 301 12aad60-12aadff GetCurrentProcess 305 12aae08-12aae3c GetCurrentThread 301->305 306 12aae01-12aae07 301->306 307 12aae3e-12aae44 305->307 308 12aae45-12aae79 GetCurrentProcess 305->308 306->305 307->308 310 12aae7b-12aae81 308->310 311 12aae82-12aae9d call 12aaf41 308->311 310->311 313 12aaea3-12aaed2 GetCurrentThreadId 311->313 315 12aaedb-12aaf3d 313->315 316 12aaed4-12aaeda 313->316 316->315
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 012AADEE
                                                                        • GetCurrentThread.KERNEL32 ref: 012AAE2B
                                                                        • GetCurrentProcess.KERNEL32 ref: 012AAE68
                                                                        • GetCurrentThreadId.KERNEL32 ref: 012AAEC1
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4185206339.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_12a0000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: fb3deb80cf7ec7d75049e4a3e65a854db22a30caee15c09ddaa7444d53471e86
                                                                        • Instruction ID: dcf53d3622589184b98a3d39243f6ebd5b82226b6c2bf80b963fc933635c1224
                                                                        • Opcode Fuzzy Hash: fb3deb80cf7ec7d75049e4a3e65a854db22a30caee15c09ddaa7444d53471e86
                                                                        • Instruction Fuzzy Hash: 8A5176B09107498FDB14CFA9C548B9EBFF1EF48314F208469E518A72A0DB349944CF62
                                                                        Function 012AAD70 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 323 12aad70-12aadff GetCurrentProcess 327 12aae08-12aae3c GetCurrentThread 323->327 328 12aae01-12aae07 323->328 329 12aae3e-12aae44 327->329 330 12aae45-12aae79 GetCurrentProcess 327->330 328->327 329->330 332 12aae7b-12aae81 330->332 333 12aae82-12aae9d call 12aaf41 330->333 332->333 335 12aaea3-12aaed2 GetCurrentThreadId 333->335 337 12aaedb-12aaf3d 335->337 338 12aaed4-12aaeda 335->338 338->337
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 012AADEE
                                                                        • GetCurrentThread.KERNEL32 ref: 012AAE2B
                                                                        • GetCurrentProcess.KERNEL32 ref: 012AAE68
                                                                        • GetCurrentThreadId.KERNEL32 ref: 012AAEC1
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4185206339.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_12a0000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: 8db8538c8ad8182fa3399055ee996e0746549552190d37ca34cd22b920bc4ef0
                                                                        • Instruction ID: d721b59e683292219ec92a8d23a789970dec6c8692b1b7db0a94b55af9bd520d
                                                                        • Opcode Fuzzy Hash: 8db8538c8ad8182fa3399055ee996e0746549552190d37ca34cd22b920bc4ef0
                                                                        • Instruction Fuzzy Hash: 575163B09106498FDB14CFA9D548B9EBFF1EF48314F208469E518A72A0DB34A945CF65
                                                                        Function 012AAFB8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1281 12aafb8-12ab04c DuplicateHandle 1282 12ab04e-12ab054 1281->1282 1283 12ab055-12ab072 1281->1283 1282->1283
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012AB03F
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4185206339.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_12a0000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: acac287a7f45877e2638b975144054a74c915250247e34760afaa27749f4d59d
                                                                        • Instruction ID: c02c373c56fb48e06df82374dfe41b96aa97b1aa849e99b42a32629464d58e69
                                                                        • Opcode Fuzzy Hash: acac287a7f45877e2638b975144054a74c915250247e34760afaa27749f4d59d
                                                                        • Instruction Fuzzy Hash: 2E21E4B59002499FDB10CF9AD984ADEBFF8FB48320F14841AE914A3350D379A940DF64
                                                                        Function 012AAFB0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1276 12aafb0-12ab04c DuplicateHandle 1277 12ab04e-12ab054 1276->1277 1278 12ab055-12ab072 1276->1278 1277->1278
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012AB03F
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4185206339.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_12a0000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 853111295f790fd747bc053aaaf7c699f0e1dc6b8b9cc16904add7427939c941
                                                                        • Instruction ID: 10199e1f1287a2e2428761e07c4afd022cee74fa52574c8e1fe5e6fab413f942
                                                                        • Opcode Fuzzy Hash: 853111295f790fd747bc053aaaf7c699f0e1dc6b8b9cc16904add7427939c941
                                                                        • Instruction Fuzzy Hash: 7221E3B5D002099FDB10CF99D984ADEBBF4EB48310F24842AE918A7350D378A944DF65
                                                                        Function 012A5C58 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1286 12a5c58-12a5caa 1288 12a5cac 1286->1288 1289 12a5cb6-12a5ce8 SetWindowsHookExW 1286->1289 1292 12a5cb4 1288->1292 1290 12a5cea-12a5cf0 1289->1290 1291 12a5cf1-12a5d16 1289->1291 1290->1291 1292->1289
                                                                        APIs
                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 012A5CDB
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4185206339.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_12a0000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 555682ebbb2948bd6d9b67cfe7d544d10d0a15c16eb67398cbddc537ae74a36e
                                                                        • Instruction ID: fa28a4878d1ccb7f4c3b4428616c523750b84a8acce1028a03d94bf47b348c36
                                                                        • Opcode Fuzzy Hash: 555682ebbb2948bd6d9b67cfe7d544d10d0a15c16eb67398cbddc537ae74a36e
                                                                        • Instruction Fuzzy Hash: 462135B5D002098FDB14CFA9C944BEEBBF5FF48320F24841AD918A7250CB75A944CFA1
                                                                        Function 012A5C60 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1296 12a5c60-12a5caa 1298 12a5cac 1296->1298 1299 12a5cb6-12a5ce8 SetWindowsHookExW 1296->1299 1302 12a5cb4 1298->1302 1300 12a5cea-12a5cf0 1299->1300 1301 12a5cf1-12a5d16 1299->1301 1300->1301 1302->1299
                                                                        APIs
                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 012A5CDB
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4185206339.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_12a0000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 3d4eec6105534ae6100456be55eace865b8ca58a9b14fbbb05ccb6cf03205af6
                                                                        • Instruction ID: d61342ee36f9eb123e14645c8a64ac346ccc591149cb4f9f5f29e1e7f560227c
                                                                        • Opcode Fuzzy Hash: 3d4eec6105534ae6100456be55eace865b8ca58a9b14fbbb05ccb6cf03205af6
                                                                        • Instruction Fuzzy Hash: 1C2115B1D002098FDB14DFAAC944BEEBBF5EB88320F10841AE519A7250CB74A944CFA1
                                                                        Function 011FD428 Relevance: .1, Instructions: 75COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4184680985.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_11fd000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c21dd354e2a2c1f55db3c62576f0bef9ac53778b9df5b67fa5af0301e89fd06e
                                                                        • Instruction ID: 4d435d2d8b5f626fcdf3534dcc253c8fca70cff33bb5a8a862011d8350c3c168
                                                                        • Opcode Fuzzy Hash: c21dd354e2a2c1f55db3c62576f0bef9ac53778b9df5b67fa5af0301e89fd06e
                                                                        • Instruction Fuzzy Hash: 602121B1104200DFDF09CF58E9C0B66BF65FB94324F24C56DEA090AA56C336E446CBA2
                                                                        Function 0120D2B4 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4184784272.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_120d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 817a0e3513283b5810daa4b9bc8fb573cc884e302730e50a2c726768926c7e3d
                                                                        • Instruction ID: 85748ddd75e6550c2bb02cb13005c4f33af5be961f01df87fb3646b4241a258f
                                                                        • Opcode Fuzzy Hash: 817a0e3513283b5810daa4b9bc8fb573cc884e302730e50a2c726768926c7e3d
                                                                        • Instruction Fuzzy Hash: 052137B5515308DFCB06CF98C5C0B26BB65FB84314F24CA6DE9094B283C376D446CE61
                                                                        Function 0120D0FC Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4184784272.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_120d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 62c02d1cc36c5b3b8765d08a86b7160e034e7810aa76fccd708c6a50edae3e64
                                                                        • Instruction ID: 4350a744a4e5c7ac9d8537f6bf7f99eebb5b6a158c709ab7ee514f02f237d5cc
                                                                        • Opcode Fuzzy Hash: 62c02d1cc36c5b3b8765d08a86b7160e034e7810aa76fccd708c6a50edae3e64
                                                                        • Instruction Fuzzy Hash: 4C2167B1114208DFDB06CF98C9C0B22FB65FB84314F20CA6DD9094B283CB36D406CA61
                                                                        Function 0120D01C Relevance: .1, Instructions: 71COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4184784272.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_120d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f7e1b5ebe563100104e5d2a9c90c9d7b895b8481c8e708635653b3ec0b5f7313
                                                                        • Instruction ID: 49ae8ee0143d56d97a05dba2d0a0a835c6f6de963bb033859c9af3d4418f9660
                                                                        • Opcode Fuzzy Hash: f7e1b5ebe563100104e5d2a9c90c9d7b895b8481c8e708635653b3ec0b5f7313
                                                                        • Instruction Fuzzy Hash: C92104B1615208DFDB16DFA8C5C0B26BF66EB84354F20C66DEA0D4B293C376D847C661
                                                                        Function 011FD423 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4184680985.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_11fd000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                        • Instruction ID: 4f4f14ea17b7bf0b3867cab93084172179ed0a7424c028f7cd5b58e7ca0b491a
                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                        • Instruction Fuzzy Hash: 8B11CD72404280CFDF16CF44D5C4B66BF62FB84214F2485A9D9090BA56C33AD45ACBA1
                                                                        Function 0120D0F7 Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4184784272.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_120d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                        • Instruction ID: d4770ab6a235d31f4e4107325ecfd8308cfebcf70902f3cf57e787bab0bcd283
                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                        • Instruction Fuzzy Hash: 5611BB75504288CFDB06CF98D9C4B15FBB2FB84224F24C6AAD9094B697C33AD44ACB61
                                                                        Function 0120D2AF Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4184784272.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_120d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                        • Instruction ID: 07f956cc39e6f17198de2559a50c319e7e410d271d0ba0e325424235d2bdb63c
                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                        • Instruction Fuzzy Hash: F111BB79504684CFDB02CF94D5C0B15BBA2FB84218F28C6AAD9494B697C33AD44ACFA1
                                                                        Function 0120D017 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000002.00000002.4184784272.000000000120D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0120D000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_2_2_120d000_3WQwD4Z4L7.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7c133aacda7c84256749da232d71bf144b4f4d1159547abdddc2f0c5f0aaaa43
                                                                        • Instruction ID: 74f207e5d40e715051c79243f68652f90d3c058b4780a4436e86ac018c48629b
                                                                        • Opcode Fuzzy Hash: 7c133aacda7c84256749da232d71bf144b4f4d1159547abdddc2f0c5f0aaaa43
                                                                        • Instruction Fuzzy Hash: 2111BB75504284CFDB12CF64C5C0B15BFA2FB84318F24C6A9D9094B693C33AD44ACB92