Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3qr7JBuNuX.exe

Overview

General Information

Sample name:3qr7JBuNuX.exe
renamed because original name is a hash value
Original sample name:34cdeda14b795125dcd164bdb038928d4febef64615d8f5b41318ec9e3ae990d.exe
Analysis ID:1588869
MD5:35540c3d857437f1f715981f6d2a5930
SHA1:fb1fe8c43078023fbb8002b89ebbd01ac5dd149d
SHA256:34cdeda14b795125dcd164bdb038928d4febef64615d8f5b41318ec9e3ae990d
Tags:exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 3qr7JBuNuX.exe (PID: 4828 cmdline: "C:\Users\user\Desktop\3qr7JBuNuX.exe" MD5: 35540C3D857437F1F715981F6D2A5930)
    • powershell.exe (PID: 3140 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7380 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • 3qr7JBuNuX.exe (PID: 1880 cmdline: "C:\Users\user\Desktop\3qr7JBuNuX.exe" MD5: 35540C3D857437F1F715981F6D2A5930)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "rock@supamemo.sbs", "Password": "W0kz);5}7i_aesKD", "Server": "mail.supamemo.sbs", "To": "rocee@supamemo.sbs", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xee6f:$a1: get_encryptedPassword
        • 0xf197:$a2: get_encryptedUsername
        • 0xec0a:$a3: get_timePasswordChanged
        • 0xed2b:$a4: get_passwordField
        • 0xee85:$a5: set_encryptedPassword
        • 0x107d6:$a7: get_logins
        • 0x10487:$a8: GetOutlookPasswords
        • 0x10279:$a9: StartKeylogger
        • 0x10726:$a10: KeyLoggerEventArgs
        • 0x102d6:$a11: KeyLoggerEventArgsEventHandler
        00000004.00000002.3020404812.0000000002A83000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.3qr7JBuNuX.exe.400000.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            4.2.3qr7JBuNuX.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.3qr7JBuNuX.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                4.2.3qr7JBuNuX.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xf06f:$a1: get_encryptedPassword
                • 0xf397:$a2: get_encryptedUsername
                • 0xee0a:$a3: get_timePasswordChanged
                • 0xef2b:$a4: get_passwordField
                • 0xf085:$a5: set_encryptedPassword
                • 0x109d6:$a7: get_logins
                • 0x10687:$a8: GetOutlookPasswords
                • 0x10479:$a9: StartKeylogger
                • 0x10926:$a10: KeyLoggerEventArgs
                • 0x104d6:$a11: KeyLoggerEventArgsEventHandler
                4.2.3qr7JBuNuX.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x13ffd:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x134fb:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x13809:$a4: \Orbitum\User Data\Default\Login Data
                • 0x14601:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 18 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3qr7JBuNuX.exe", ParentImage: C:\Users\user\Desktop\3qr7JBuNuX.exe, ParentProcessId: 4828, ParentProcessName: 3qr7JBuNuX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe", ProcessId: 3140, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3qr7JBuNuX.exe", ParentImage: C:\Users\user\Desktop\3qr7JBuNuX.exe, ParentProcessId: 4828, ParentProcessName: 3qr7JBuNuX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe", ProcessId: 3140, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3qr7JBuNuX.exe", ParentImage: C:\Users\user\Desktop\3qr7JBuNuX.exe, ParentProcessId: 4828, ParentProcessName: 3qr7JBuNuX.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe", ProcessId: 3140, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T06:33:30.095168+010028032742Potentially Bad Traffic192.168.2.449733158.101.44.24280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 0.2.3qr7JBuNuX.exe.4dac598.1.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "rock@supamemo.sbs", "Password": "W0kz);5}7i_aesKD", "Server": "mail.supamemo.sbs", "To": "rocee@supamemo.sbs", "Port": 587}
                Multi AV Scanner detection for submitted file
                Source: 3qr7JBuNuX.exeVirustotal: Detection: 75%Perma Link
                Source: 3qr7JBuNuX.exeReversingLabs: Detection: 63%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 3qr7JBuNuX.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: 3qr7JBuNuX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49734 version: TLS 1.0
                Source: 3qr7JBuNuX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 00E79731h4_2_00E79480
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 00E79E5Ah4_2_00E79A40
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 00E79E5Ah4_2_00E79A30
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 00E79E5Ah4_2_00E79D87
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E65E15h4_2_04E65AD8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E6F700h4_2_04E6F458
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E676D0h4_2_04E67428
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E68830h4_2_04E68588
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E647C9h4_2_04E64520
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E65929h4_2_04E65680
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E6E9F8h4_2_04E6E750
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E6F2A8h4_2_04E6F000
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E683D8h4_2_04E68130
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E6E5A0h4_2_04E6E2F8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E654D1h4_2_04E65228
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E67F80h4_2_04E67CD8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E65079h4_2_04E64DD0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E67278h4_2_04E66FD0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E6FB58h4_2_04E6F8B0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E67B28h4_2_04E67880
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E64C21h4_2_04E64978
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 04E6EE50h4_2_04E6EBA8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 054462B5h4_2_054460D8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05446C3Fh4_2_054460D8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 054418A0h4_2_054415F8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05443840h4_2_05443598
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 054426E0h4_2_05442438
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05440740h4_2_05440498
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 054449A0h4_2_054446F8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 054433E8h4_2_05443140
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then mov esp, ebp4_2_05449120
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_054451E8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05441448h4_2_054411A0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 054402E8h4_2_05440040
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05444548h4_2_054442A0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05440FF0h4_2_05440D48
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05442F90h4_2_05442CE8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 054440F0h4_2_05443E48
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05442152h4_2_05441EA8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05443C98h4_2_054439F0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05440B98h4_2_054408F0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05442B38h4_2_05442890
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05444DF8h4_2_05444B50
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4x nop then jmp 05441CF8h4_2_05441A50
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49733 -> 158.101.44.242:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49734 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.0000000002961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1794545207.000000000395E000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3020404812.0000000002961000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: 3qr7JBuNuX.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/
                Source: 3qr7JBuNuX.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/accountname.aspx
                Source: 3qr7JBuNuX.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/balance.aspx
                Source: 3qr7JBuNuX.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspx
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1794545207.0000000003569000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.libertyreserve.com/beta/xml/history.aspxS
                Source: 3qr7JBuNuX.exeString found in binary or memory: https://api.libertyreserve.com/beta/xml/transfer.aspx
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: 3qr7JBuNuX.exeString found in binary or memory: https://sci.libertyreserve.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 4.2.3qr7JBuNuX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 4.2.3qr7JBuNuX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.3qr7JBuNuX.exe.4dac598.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.3qr7JBuNuX.exe.4dac598.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.3qr7JBuNuX.exe.4d95b78.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.3qr7JBuNuX.exe.4d95b78.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.3qr7JBuNuX.exe.4dac598.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.3qr7JBuNuX.exe.4d95b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: 3qr7JBuNuX.exe PID: 4828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: 3qr7JBuNuX.exe PID: 1880, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_018C22900_2_018C2290
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_018C225B0_2_018C225B
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_018C08B30_2_018C08B3
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_018C134A0_2_018C134A
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A050B900_2_0A050B90
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A051E780_2_0A051E78
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A057F600_2_0A057F60
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A052CF80_2_0A052CF8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0514400_2_0A051440
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0595880_2_0A059588
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A050AF20_2_0A050AF2
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A053BC80_2_0A053BC8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A053BD80_2_0A053BD8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A052BE00_2_0A052BE0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0518D90_2_0A0518D9
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0589500_2_0A058950
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0589600_2_0A058960
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0539E00_2_0A0539E0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A059E880_2_0A059E88
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A054FD80_2_0A054FD8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A054FE80_2_0A054FE8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A052C100_2_0A052C10
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A058D110_2_0A058D11
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A054DD20_2_0A054DD2
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A054DE00_2_0A054DE0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0582220_2_0A058222
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0582280_2_0A058228
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0552680_2_0A055268
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0552780_2_0A055278
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0500060_2_0A050006
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0500400_2_0A050040
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0516200_2_0A051620
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A05A43A0_2_0A05A43A
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0554540_2_0A055454
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0554580_2_0A055458
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0585590_2_0A058559
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0585680_2_0A058568
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A0600400_2_0A060040
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A06A53C0_2_0A06A53C
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A06B9980_2_0A06B998
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A4F10700_2_0A4F1070
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A4F18D10_2_0A4F18D1
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A4F18E00_2_0A4F18E0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A4F2FB80_2_0A4F2FB8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A4F14980_2_0A4F1498
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A4F14A80_2_0A4F14A8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A4F1D180_2_0A4F1D18
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_00E7C5304_2_00E7C530
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_00E727B94_2_00E727B9
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_00E72DD14_2_00E72DD1
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_00E794804_2_00E79480
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_00E7C5214_2_00E7C521
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_00E7946F4_2_00E7946F
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E661384_2_04E66138
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E613A84_2_04E613A8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6BC504_2_04E6BC50
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6AE784_2_04E6AE78
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E689E04_2_04E689E0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E65AD84_2_04E65AD8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E60AB84_2_04E60AB8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6F4554_2_04E6F455
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6F4584_2_04E6F458
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E674234_2_04E67423
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E674284_2_04E67428
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E685884_2_04E68588
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E685794_2_04E68579
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E645204_2_04E64520
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6450F4_2_04E6450F
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E656804_2_04E65680
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E656704_2_04E65670
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6E7404_2_04E6E740
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6E7504_2_04E6E750
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6F0004_2_04E6F000
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E681204_2_04E68120
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E661374_2_04E66137
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E681304_2_04E68130
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6E2F54_2_04E6E2F5
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6E2F84_2_04E6E2F8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E652284_2_04E65228
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6521B4_2_04E6521B
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E603204_2_04E60320
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E603304_2_04E60330
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E67CC84_2_04E67CC8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E60CD84_2_04E60CD8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E67CD84_2_04E67CD8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E63CA34_2_04E63CA3
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E64DC04_2_04E64DC0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E64DD04_2_04E64DD0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6EFFD4_2_04E6EFFD
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E66FCD4_2_04E66FCD
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E66FD04_2_04E66FD0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6F8A14_2_04E6F8A1
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6F8B04_2_04E6F8B0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E678804_2_04E67880
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E678714_2_04E67871
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E649694_2_04E64969
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E649784_2_04E64978
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E65ACB4_2_04E65ACB
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6EBA84_2_04E6EBA8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E6EB984_2_04E6EB98
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054480304_2_05448030
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054460D84_2_054460D8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054473904_2_05447390
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05446D484_2_05446D48
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054479E04_2_054479E0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054415E84_2_054415E8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054415F84_2_054415F8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054435974_2_05443597
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054435984_2_05443598
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054424274_2_05442427
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054424384_2_05442438
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054404884_2_05440488
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054404984_2_05440498
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054446E94_2_054446E9
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054446F84_2_054446F8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_0544869F4_2_0544869F
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054486B04_2_054486B0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054431404_2_05443140
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054431324_2_05443132
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054451D84_2_054451D8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054451E84_2_054451E8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054411904_2_05441190
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054411A04_2_054411A0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054400404_2_05440040
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054480234_2_05448023
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_0544003D4_2_0544003D
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054460C94_2_054460C9
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054473804_2_05447380
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054442904_2_05444290
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054442A04_2_054442A0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05440D484_2_05440D48
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05446D374_2_05446D37
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05440D394_2_05440D39
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05442CE74_2_05442CE7
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05442CE84_2_05442CE8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05443E454_2_05443E45
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05443E484_2_05443E48
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05441E9A4_2_05441E9A
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05441EA84_2_05441EA8
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054479D04_2_054479D0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054439E64_2_054439E6
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054439F04_2_054439F0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054408E14_2_054408E1
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054408F04_2_054408F0
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054428804_2_05442880
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_054428904_2_05442890
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05444B404_2_05444B40
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05444B504_2_05444B50
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05441A404_2_05441A40
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_05441A504_2_05441A50
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exe, 00000000.00000000.1761361175.0000000001070000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameyttJL.exe4 vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1792430607.00000000016DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1794545207.0000000003561000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1799917884.00000000083D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1803221023.000000000A8F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3018192739.00000000008F7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exeBinary or memory string: OriginalFilenameyttJL.exe4 vs 3qr7JBuNuX.exe
                Source: 3qr7JBuNuX.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 4.2.3qr7JBuNuX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 4.2.3qr7JBuNuX.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.3qr7JBuNuX.exe.4dac598.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.3qr7JBuNuX.exe.4dac598.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.3qr7JBuNuX.exe.4d95b78.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.3qr7JBuNuX.exe.4d95b78.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.3qr7JBuNuX.exe.4dac598.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.3qr7JBuNuX.exe.4d95b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: 3qr7JBuNuX.exe PID: 4828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: 3qr7JBuNuX.exe PID: 1880, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 3qr7JBuNuX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@2/2
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3qr7JBuNuX.exe.logJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clusd3tj.va0.ps1Jump to behavior
                Source: 3qr7JBuNuX.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 3qr7JBuNuX.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3020404812.0000000002A3E000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3020404812.0000000002A4E000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3020404812.0000000002A5C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 3qr7JBuNuX.exeVirustotal: Detection: 75%
                Source: 3qr7JBuNuX.exeReversingLabs: Detection: 63%
                Source: unknownProcess created: C:\Users\user\Desktop\3qr7JBuNuX.exe "C:\Users\user\Desktop\3qr7JBuNuX.exe"
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess created: C:\Users\user\Desktop\3qr7JBuNuX.exe "C:\Users\user\Desktop\3qr7JBuNuX.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe"Jump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess created: C:\Users\user\Desktop\3qr7JBuNuX.exe "C:\Users\user\Desktop\3qr7JBuNuX.exe"Jump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: iconcodecservice.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: 3qr7JBuNuX.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 3qr7JBuNuX.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_018C1C70 push ds; ret 0_2_018C1C72
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A063440 push 69C84589h; ret 0_2_0A063448
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 0_2_0A4F418F push eax; retf 0_2_0A4F4190
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_0544BCDF push esp; retf 4_2_0544BD19
                Source: 3qr7JBuNuX.exeStatic PE information: section name: .text entropy: 7.550819638547243

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 4828, type: MEMORYSTR
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 18C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 3560000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 3480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 5B00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 6B00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 6C30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 7C30000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: BDF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: CDF0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: D280000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: E280000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: F480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 10480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 11480000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: D90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6537Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3147Jump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exe TID: 1608Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7308Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 3qr7JBuNuX.exe, 00000000.00000002.1792430607.0000000001712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@ou
                Source: 3qr7JBuNuX.exe, 00000004.00000002.3018721983.0000000000B36000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeCode function: 4_2_04E60AB8 LdrInitializeThunk,LdrInitializeThunk,4_2_04E60AB8
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe"
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeMemory written: C:\Users\user\Desktop\3qr7JBuNuX.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe"Jump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeProcess created: C:\Users\user\Desktop\3qr7JBuNuX.exe "C:\Users\user\Desktop\3qr7JBuNuX.exe"Jump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Users\user\Desktop\3qr7JBuNuX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Users\user\Desktop\3qr7JBuNuX.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 4.2.3qr7JBuNuX.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 4828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 1880, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 4.2.3qr7JBuNuX.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 4828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 1880, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\3qr7JBuNuX.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 4.2.3qr7JBuNuX.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.3020404812.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 4828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 1880, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 4.2.3qr7JBuNuX.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 4828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 1880, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 4.2.3qr7JBuNuX.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4dac598.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.3qr7JBuNuX.exe.4d95b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 4828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 3qr7JBuNuX.exe PID: 1880, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		11
                Disable or Modify Tools                		LSASS Memory1
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                Obfuscated Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Software Packing                		Cached Domain Credentials1
                System Network Configuration Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                3qr7JBuNuX.exe75%VirustotalBrowse
                3qr7JBuNuX.exe63%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                3qr7JBuNuX.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		104.21.16.1
                		truefalse
                  		high
                  checkip.dyndns.com
                  		158.101.44.242
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.org/xml/8.46.123.189false
                        		high
                        http://checkip.dyndns.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://www.apache.org/licenses/LICENSE-2.03qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersG3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bThe3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers?3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://api.libertyreserve.com/beta/xml/history.aspx3qr7JBuNuX.exefalse
                                        		high
                                        http://reallyfreegeoip.orgd3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.tiro.com3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.org3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029D3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designers3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.libertyreserve.com/beta/xml/history.aspxS3qr7JBuNuX.exe, 00000000.00000002.1794545207.0000000003569000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.goodfont.co.kr3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://api.libertyreserve.com/beta/xml/3qr7JBuNuX.exefalse
                                                      		high
                                                      http://www.carterandcone.coml3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sajatypeworks.com3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.typography.netD3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/cabarga.htmlN3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/cThe3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.galapagosdesign.com/staff/dennis.htm3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.founder.com.cn/cn3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api.libertyreserve.com/beta/xml/transfer.aspx3qr7JBuNuX.exefalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers/frere-user.html3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://reallyfreegeoip.org/xml/8.46.123.189l3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://checkip.dyndns.comd3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://checkip.dyndns.org/q3qr7JBuNuX.exe, 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.jiyu-kobo.co.jp/3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.org/xml/8.46.123.189d3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://reallyfreegeoip.org3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://checkip.dyndns.orgd3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.galapagosdesign.com/DPlease3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://reallyfreegeoip.org3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.fontbureau.com/designers83qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.fonts.com3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.sandoll.co.kr3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://checkip.dyndns.com3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.urwpp.deDPlease3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.zhongyicts.com.cn3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://checkip.dyndns.org/d3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://sci.libertyreserve.com/3qr7JBuNuX.exefalse
                                                                                                          		high
                                                                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name3qr7JBuNuX.exe, 00000000.00000002.1794545207.000000000395E000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3020404812.0000000002961000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.sakkal.com3qr7JBuNuX.exe, 00000000.00000002.1800718540.0000000009B62000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://api.libertyreserve.com/beta/xml/accountname.aspx3qr7JBuNuX.exefalse
                                                                                                                		high
                                                                                                                https://api.libertyreserve.com/beta/xml/balance.aspx3qr7JBuNuX.exefalse
                                                                                                                  		high
                                                                                                                  https://api.telegram.org/bot-/sendDocument?chat_id=3qr7JBuNuX.exe, 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://reallyfreegeoip.org/xml/3qr7JBuNuX.exe, 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, 3qr7JBuNuX.exe, 00000004.00000002.3020404812.00000000029DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      104.21.16.1
                                                                                                                      		reallyfreegeoip.orgUnited States
                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                      158.101.44.242
                                                                                                                      		checkip.dyndns.comUnited States
                                                                                                                      		31898ORACLE-BMC-31898USfalse

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                                      Analysis ID:1588869
                                                                                                                      Start date and time:2025-01-11 06:32:24 +01:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 5m 54s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:10
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:3qr7JBuNuX.exe
                                                                                                                      renamed because original name is a hash value
                                                                                                                      Original Sample Name:34cdeda14b795125dcd164bdb038928d4febef64615d8f5b41318ec9e3ae990d.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal100.troj.spyw.evad.winEXE@7/6@2/2
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 97%
                                                                                                                      • Number of executed functions: 96
                                                                                                                      • Number of non-executed functions: 69
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                      • Excluded IPs from analysis (whitelisted): 184.28.90.27, 52.149.20.212, 13.107.246.45
                                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      00:33:26API Interceptor1x Sleep call for process: 3qr7JBuNuX.exe modified
                                                                                                                      00:33:28API Interceptor16x Sleep call for process: powershell.exe modified

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      104.21.16.1NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • www.kkpmoneysocial.top/86am/
                                                                                                                      JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                      • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                                                                                      158.101.44.242lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • checkip.dyndns.org/
                                                                                                                      PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • checkip.dyndns.org/

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      checkip.dyndns.comlkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 132.226.247.73
                                                                                                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 132.226.247.73
                                                                                                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 193.122.130.0
                                                                                                                      tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 132.226.247.73
                                                                                                                      MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 132.226.8.169
                                                                                                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 132.226.8.169
                                                                                                                      reallyfreegeoip.orglkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.48.1
                                                                                                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.80.1
                                                                                                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.48.1
                                                                                                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.48.1
                                                                                                                      MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.64.1
                                                                                                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.48.1

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      CLOUDFLARENETUSlkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      https://mrohailkhan.com/energyaustralia/auth/auhs1/Get hashmaliciousUnknownBrowse
                                                                                                                      • 172.64.155.59
                                                                                                                      3.elfGet hashmaliciousUnknownBrowse
                                                                                                                      • 1.1.1.1
                                                                                                                      prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.112.1
                                                                                                                      wSoShbuXnJ.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 104.21.86.111
                                                                                                                      1507513743282749438.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                                      • 162.159.61.3
                                                                                                                      rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.48.1
                                                                                                                      C6Abn5cBei.exeGet hashmaliciousFormBookBrowse
                                                                                                                      • 172.67.145.234
                                                                                                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.80.1
                                                                                                                      ORACLE-BMC-31898USlkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 193.122.130.0
                                                                                                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 193.122.6.168
                                                                                                                      n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 193.122.130.0
                                                                                                                      njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                      • 158.101.44.242
                                                                                                                      rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 193.122.130.0
                                                                                                                      YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 193.122.130.0

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adlkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.16.1
                                                                                                                      fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                      • 104.21.16.1

                                                                                                                      Dropped Files

                                                                                                                      No context

                                                                                                                      Created / dropped Files

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3qr7JBuNuX.exe.log

                                                                                                                      Download File
                                                                                                                      Process:C:\Users\user\Desktop\3qr7JBuNuX.exe
                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):1216
                                                                                                                      Entropy (8bit):5.34331486778365
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                      Malicious:true
                                                                                                                      Reputation:high, very likely benign file
                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:data
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):2232
                                                                                                                      Entropy (8bit):5.380046556058007
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:48:tWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//YUyus:tLHxv2IfLZ2KRH6Oug8s
                                                                                                                      MD5:2628E843EF7060E91426823B102E13AA
                                                                                                                      SHA1:6FE0AD465404E6929BFEBA2D4F397D8F2D295CE1
                                                                                                                      SHA-256:4DC6B06D7934D36877120520E8EA2999A08349B2124C51B6444F52FC6C388C85
                                                                                                                      SHA-512:CD405D5274DB025437B70CDD2643D751431FFA83EE5BB84415F71B8F2B82EDDD0FD87BB5A77D9DDF6C198FC8193248975BE629BED5E32C0A63C6593C5F0222DF
                                                                                                                      Malicious:false
                                                                                                                      Reputation:low
                                                                                                                      Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_clusd3tj.va0.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Reputation:high, very likely benign file
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ij1gnqe4.eor.ps1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kucgoymk.3xr.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s0l1tyyn.d2e.psm1

                                                                                                                      Download File
                                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                                      Category:dropped
                                                                                                                      Size (bytes):60
                                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                                      Encrypted:false
                                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                      Malicious:false
                                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                      Static File Info

                                                                                                                      General

                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                      Entropy (8bit):7.553141665755069
                                                                                                                      TrID:
                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                                      File name:3qr7JBuNuX.exe
                                                                                                                      File size:787'456 bytes
                                                                                                                      MD5:35540c3d857437f1f715981f6d2a5930
                                                                                                                      SHA1:fb1fe8c43078023fbb8002b89ebbd01ac5dd149d
                                                                                                                      SHA256:34cdeda14b795125dcd164bdb038928d4febef64615d8f5b41318ec9e3ae990d
                                                                                                                      SHA512:f7db1d32d42eafe559acc170b65897392edd6a73b56fa11e25d170d9f566e8105b18758ab9a900135b35ccef018ef87786d7d9737e17dca7be8837d900005970
                                                                                                                      SSDEEP:12288:v328f2uE1zDoVEt4veWaixpQVVIgqGuLEPs7Hn4RnI18f2:v2u2uOUveWoWKcH40u2
                                                                                                                      TLSH:D5F4BFC03F26771ECD6DA9349426DCB8A1642E787005B6E3ADDE3B97768C1129E0DF90
                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....cg..............0......2......>.... ........@.. .......................`............@................................

                                                                                                                      File Icon

                                                                                                                      Icon Hash:674d797961216d59

                                                                                                                      Static PE Info

                                                                                                                      General

                                                                                                                      Entrypoint:0x4bef3e
                                                                                                                      Entrypoint Section:.text
                                                                                                                      Digitally signed:false
                                                                                                                      Imagebase:0x400000
                                                                                                                      Subsystem:windows gui
                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                      Time Stamp:0x6763EDBD [Thu Dec 19 09:56:13 2024 UTC]
                                                                                                                      TLS Callbacks:
                                                                                                                      CLR (.Net) Version:
                                                                                                                      OS Version Major:4
                                                                                                                      OS Version Minor:0
                                                                                                                      File Version Major:4
                                                                                                                      File Version Minor:0
                                                                                                                      Subsystem Version Major:4
                                                                                                                      Subsystem Version Minor:0
                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                      Entrypoint Preview

                                                                                                                      Instruction
                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al
                                                                                                                      add byte ptr [eax], al

                                                                                                                      Data Directories

                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xbeef00x4b.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x2f48.rsrc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                      Sections

                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                      .text0x20000xbcf440xbd0008b64a591633cd628a1626328e0767f0eFalse0.839001529431217data7.550819638547243IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                      .rsrc0xc00000x2f480x3000ab7d702117942235e782b14d2cbe1ac2False0.9447428385416666data7.740899429196905IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                      .reloc0xc40000xc0x20052da343d9dfcf9891581e95cd3eb256eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                      Resources

                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                      RT_ICON0xc00e80x2bf4PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9942232492001422
                                                                                                                      RT_GROUP_ICON0xc2cdc0x14data1.05
                                                                                                                      RT_VERSION0xc2cf00x258data0.485

                                                                                                                      Imports

                                                                                                                      DLLImport
                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                      Network Behavior

                                                                                                                      Suricata IDS Alerts

                                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                      2025-01-11T06:33:30.095168+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449733158.101.44.24280TCP

                                                                                                                      Network Port Distribution

                                                                                                                      TCP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 11, 2025 06:33:29.206903934 CET4973380192.168.2.4158.101.44.242
                                                                                                                      Jan 11, 2025 06:33:29.211986065 CET8049733158.101.44.242192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:29.212527990 CET4973380192.168.2.4158.101.44.242
                                                                                                                      Jan 11, 2025 06:33:29.212888956 CET4973380192.168.2.4158.101.44.242
                                                                                                                      Jan 11, 2025 06:33:29.217701912 CET8049733158.101.44.242192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:29.854826927 CET8049733158.101.44.242192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:29.860528946 CET4973380192.168.2.4158.101.44.242
                                                                                                                      Jan 11, 2025 06:33:29.865394115 CET8049733158.101.44.242192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.040638924 CET8049733158.101.44.242192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.050005913 CET49734443192.168.2.4104.21.16.1
                                                                                                                      Jan 11, 2025 06:33:30.050045967 CET44349734104.21.16.1192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.050530910 CET49734443192.168.2.4104.21.16.1
                                                                                                                      Jan 11, 2025 06:33:30.057894945 CET49734443192.168.2.4104.21.16.1
                                                                                                                      Jan 11, 2025 06:33:30.057912111 CET44349734104.21.16.1192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.095168114 CET4973380192.168.2.4158.101.44.242
                                                                                                                      Jan 11, 2025 06:33:30.538526058 CET44349734104.21.16.1192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.538603067 CET49734443192.168.2.4104.21.16.1
                                                                                                                      Jan 11, 2025 06:33:30.544349909 CET49734443192.168.2.4104.21.16.1
                                                                                                                      Jan 11, 2025 06:33:30.544374943 CET44349734104.21.16.1192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.544682980 CET44349734104.21.16.1192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.595114946 CET49734443192.168.2.4104.21.16.1
                                                                                                                      Jan 11, 2025 06:33:30.875581980 CET49734443192.168.2.4104.21.16.1
                                                                                                                      Jan 11, 2025 06:33:30.919334888 CET44349734104.21.16.1192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.989353895 CET44349734104.21.16.1192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.989434004 CET44349734104.21.16.1192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.989480019 CET49734443192.168.2.4104.21.16.1
                                                                                                                      Jan 11, 2025 06:33:30.995640039 CET49734443192.168.2.4104.21.16.1
                                                                                                                      Jan 11, 2025 06:34:35.040237904 CET8049733158.101.44.242192.168.2.4
                                                                                                                      Jan 11, 2025 06:34:35.040360928 CET4973380192.168.2.4158.101.44.242
                                                                                                                      Jan 11, 2025 06:35:10.048731089 CET4973380192.168.2.4158.101.44.242
                                                                                                                      Jan 11, 2025 06:35:10.053605080 CET8049733158.101.44.242192.168.2.4

                                                                                                                      UDP Packets

                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                      Jan 11, 2025 06:33:29.170255899 CET6547653192.168.2.41.1.1.1
                                                                                                                      Jan 11, 2025 06:33:29.176945925 CET53654761.1.1.1192.168.2.4
                                                                                                                      Jan 11, 2025 06:33:30.042365074 CET5263353192.168.2.41.1.1.1
                                                                                                                      Jan 11, 2025 06:33:30.049156904 CET53526331.1.1.1192.168.2.4

                                                                                                                      DNS Queries

                                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                      Jan 11, 2025 06:33:29.170255899 CET192.168.2.41.1.1.10x9835Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:30.042365074 CET192.168.2.41.1.1.10xc7beStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                                                      DNS Answers

                                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                      Jan 11, 2025 06:33:29.176945925 CET1.1.1.1192.168.2.40x9835No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:29.176945925 CET1.1.1.1192.168.2.40x9835No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:29.176945925 CET1.1.1.1192.168.2.40x9835No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:29.176945925 CET1.1.1.1192.168.2.40x9835No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:29.176945925 CET1.1.1.1192.168.2.40x9835No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:29.176945925 CET1.1.1.1192.168.2.40x9835No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:30.049156904 CET1.1.1.1192.168.2.40xc7beNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:30.049156904 CET1.1.1.1192.168.2.40xc7beNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:30.049156904 CET1.1.1.1192.168.2.40xc7beNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:30.049156904 CET1.1.1.1192.168.2.40xc7beNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:30.049156904 CET1.1.1.1192.168.2.40xc7beNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:30.049156904 CET1.1.1.1192.168.2.40xc7beNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                      Jan 11, 2025 06:33:30.049156904 CET1.1.1.1192.168.2.40xc7beNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false

                                                                                                                      HTTP Request Dependency Graph

                                                                                                                      • reallyfreegeoip.org
                                                                                                                      • checkip.dyndns.org

                                                                                                                      HTTP Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.449733158.101.44.242801880C:\Users\user\Desktop\3qr7JBuNuX.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      Jan 11, 2025 06:33:29.212888956 CET151OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      Jan 11, 2025 06:33:29.854826927 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:33:29 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: 533468392b425ec1a7336abc376e37b7
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                      Jan 11, 2025 06:33:29.860528946 CET127OUTGET / HTTP/1.1
                                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                      Host: checkip.dyndns.org
                                                                                                                      Jan 11, 2025 06:33:30.040638924 CET321INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:33:29 GMT
                                                                                                                      Content-Type: text/html
                                                                                                                      Content-Length: 104
                                                                                                                      Connection: keep-alive
                                                                                                                      Cache-Control: no-cache
                                                                                                                      Pragma: no-cache
                                                                                                                      X-Request-ID: 3a25570a10e2cc4899e974a3965703de
                                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                      HTTPS Proxied Packets

                                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                      0192.168.2.449734104.21.16.14431880C:\Users\user\Desktop\3qr7JBuNuX.exe
                                                                                                                      TimestampBytes transferredDirectionData
                                                                                                                      2025-01-11 05:33:30 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                      Host: reallyfreegeoip.org
                                                                                                                      Connection: Keep-Alive
                                                                                                                      2025-01-11 05:33:30 UTC863INHTTP/1.1 200 OK
                                                                                                                      Date: Sat, 11 Jan 2025 05:33:30 GMT
                                                                                                                      Content-Type: text/xml
                                                                                                                      Content-Length: 362
                                                                                                                      Connection: close
                                                                                                                      Age: 1888400
                                                                                                                      Cache-Control: max-age=31536000
                                                                                                                      cf-cache-status: HIT
                                                                                                                      last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N5dTqTuw7BLoo0f%2FcUpj0KSIvh1IKFThx9WI2CBEveFGrc1XOT%2FRDTEcBjLXBMsyvT6OuUDrPUdV26E%2FIakw3zHW3OjvCeHHp2dYg3fJqYUR3c2b8iNUdY6L8tPSUv%2BHO9%2Fw%2FUV%2B"}],"group":"cf-nel","max_age":604800}
                                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                      Server: cloudflare
                                                                                                                      CF-RAY: 9002884c4c1241ba-EWR
                                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1678&min_rtt=1672&rtt_var=639&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1695702&cwnd=192&unsent_bytes=0&cid=53e9c87f30f6f158&ts=462&x=0"
                                                                                                                      2025-01-11 05:33:30 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                      Statistics

                                                                                                                      CPU Usage

                                                                                                                      Click to jump to process

                                                                                                                      Memory Usage

                                                                                                                      Click to jump to process

                                                                                                                      High Level Behavior Distribution

                                                                                                                      Click to dive into process behavior distribution

                                                                                                                      Behavior

                                                                                                                      Click to jump to process

                                                                                                                      System Behavior

                                                                                                                      General

                                                                                                                      Target ID:0
                                                                                                                      Start time:00:33:24
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Users\user\Desktop\3qr7JBuNuX.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\3qr7JBuNuX.exe"
                                                                                                                      Imagebase:0xfb0000
                                                                                                                      File size:787'456 bytes
                                                                                                                      MD5 hash:35540C3D857437F1F715981F6D2A5930
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1796395085.0000000004D69000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                      Reputation:low
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:2
                                                                                                                      Start time:00:33:27
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3qr7JBuNuX.exe"
                                                                                                                      Imagebase:0x140000
                                                                                                                      File size:433'152 bytes
                                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:3
                                                                                                                      Start time:00:33:27
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                                      File size:862'208 bytes
                                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      General

                                                                                                                      Target ID:4
                                                                                                                      Start time:00:33:27
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Users\user\Desktop\3qr7JBuNuX.exe
                                                                                                                      Wow64 process (32bit):true
                                                                                                                      Commandline:"C:\Users\user\Desktop\3qr7JBuNuX.exe"
                                                                                                                      Imagebase:0x470000
                                                                                                                      File size:787'456 bytes
                                                                                                                      MD5 hash:35540C3D857437F1F715981F6D2A5930
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:true
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Yara matches:
                                                                                                                      • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3018038223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3020404812.0000000002A83000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                      Reputation:low
                                                                                                                      Has exited:false

                                                                                                                      General

                                                                                                                      Target ID:5
                                                                                                                      Start time:00:33:30
                                                                                                                      Start date:11/01/2025
                                                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                      Wow64 process (32bit):false
                                                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                      Imagebase:0x7ff693ab0000
                                                                                                                      File size:496'640 bytes
                                                                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                      Has elevated privileges:true
                                                                                                                      Has administrator privileges:false
                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                      Reputation:high
                                                                                                                      Has exited:true

                                                                                                                      Disassembly

                                                                                                                      Reset < >

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:12.3%
                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                        Signature Coverage:1.3%
                                                                                                                        Total number of Nodes:239
                                                                                                                        Total number of Limit Nodes:27
                                                                                                                        execution_graph 33061 a055884 33065 a057b90 33061->33065 33068 a057b8a 33061->33068 33062 a0558b5 33066 a057bd8 VirtualProtect 33065->33066 33067 a057c12 33066->33067 33067->33062 33069 a057bd8 VirtualProtect 33068->33069 33070 a057c12 33069->33070 33070->33062 33096 a06b8a1 33097 a06b8ea 33096->33097 33098 a06b966 33097->33098 33099 a06b97b 33097->33099 33104 a06a53c 33098->33104 33100 a06a53c 3 API calls 33099->33100 33102 a06b98a 33100->33102 33105 a06a547 33104->33105 33106 a06b971 33105->33106 33109 a06c2d0 33105->33109 33115 a06c2bf 33105->33115 33122 a06a584 33109->33122 33112 a06c2f7 33112->33106 33113 a06c30f CreateIconFromResourceEx 33114 a06c39e 33113->33114 33114->33106 33116 a06c2d0 33115->33116 33117 a06a584 CreateIconFromResourceEx 33116->33117 33118 a06c2ea 33117->33118 33119 a06c2f7 33118->33119 33120 a06c30f CreateIconFromResourceEx 33118->33120 33119->33106 33121 a06c39e 33120->33121 33121->33106 33123 a06c320 CreateIconFromResourceEx 33122->33123 33124 a06c2ea 33123->33124 33124->33112 33124->33113 33075 18ce500 33076 18ce548 GetModuleHandleW 33075->33076 33077 18ce542 33075->33077 33078 18ce575 33076->33078 33077->33076 33342 18c7a40 33343 18c7a4b 33342->33343 33345 18c7b81 33342->33345 33346 18c7ba5 33345->33346 33350 18c7c80 33346->33350 33354 18c7c90 33346->33354 33351 18c7cb7 33350->33351 33353 18c7d94 33351->33353 33358 18c7824 33351->33358 33355 18c7cb7 33354->33355 33356 18c7d94 33355->33356 33357 18c7824 CreateActCtxA 33355->33357 33357->33356 33359 18c8d20 CreateActCtxA 33358->33359 33361 18c8de3 33359->33361 33362 a4f6380 33363 a4f63a6 33362->33363 33364 a4f650b 33362->33364 33363->33364 33366 a4f05b4 33363->33366 33367 a4f6600 PostMessageW 33366->33367 33368 a4f666c 33367->33368 33368->33363 33079 a055e16 33081 a057b90 VirtualProtect 33079->33081 33082 a057b8a VirtualProtect 33079->33082 33080 a055e2d 33081->33080 33082->33080 33083 a056591 33085 a056594 33083->33085 33084 a0565f9 33085->33084 33086 a057b90 VirtualProtect 33085->33086 33087 a057b8a VirtualProtect 33085->33087 33086->33085 33087->33085 33125 a4f40fb 33126 a4f422a 33125->33126 33131 a4f4ff0 33126->33131 33152 a4f5000 33126->33152 33172 a4f5050 33126->33172 33127 a4f41b0 33132 a4f4fa6 33131->33132 33133 a4f4ff3 33131->33133 33132->33127 33133->33132 33193 a4f568c 33133->33193 33200 a4f59b0 33133->33200 33204 a4f58f2 33133->33204 33209 a4f53f2 33133->33209 33214 a4f5434 33133->33214 33220 a4f5515 33133->33220 33225 a4f5ad7 33133->33225 33232 a4f55bb 33133->33232 33241 a4f555c 33133->33241 33250 a4f57bc 33133->33250 33255 a4f541d 33133->33255 33261 a4f5a7f 33133->33261 33266 a4f5600 33133->33266 33271 a4f5721 33133->33271 33276 a4f58c2 33133->33276 33281 a4f5807 33133->33281 33286 a4f5628 33133->33286 33134 a4f5022 33134->33127 33153 a4f5006 33152->33153 33155 a4f568c 4 API calls 33153->33155 33156 a4f5628 4 API calls 33153->33156 33157 a4f5807 2 API calls 33153->33157 33158 a4f58c2 2 API calls 33153->33158 33159 a4f5721 2 API calls 33153->33159 33160 a4f5600 2 API calls 33153->33160 33161 a4f5a7f 2 API calls 33153->33161 33162 a4f541d 2 API calls 33153->33162 33163 a4f57bc 2 API calls 33153->33163 33164 a4f555c 4 API calls 33153->33164 33165 a4f55bb 4 API calls 33153->33165 33166 a4f5ad7 4 API calls 33153->33166 33167 a4f5515 2 API calls 33153->33167 33168 a4f5434 2 API calls 33153->33168 33169 a4f53f2 2 API calls 33153->33169 33170 a4f58f2 2 API calls 33153->33170 33171 a4f59b0 2 API calls 33153->33171 33154 a4f5022 33154->33127 33155->33154 33156->33154 33157->33154 33158->33154 33159->33154 33160->33154 33161->33154 33162->33154 33163->33154 33164->33154 33165->33154 33166->33154 33167->33154 33168->33154 33169->33154 33170->33154 33171->33154 33173 a4f5006 33172->33173 33174 a4f5053 33172->33174 33176 a4f568c 4 API calls 33173->33176 33177 a4f5628 4 API calls 33173->33177 33178 a4f5807 2 API calls 33173->33178 33179 a4f58c2 2 API calls 33173->33179 33180 a4f5721 2 API calls 33173->33180 33181 a4f5600 2 API calls 33173->33181 33182 a4f5a7f 2 API calls 33173->33182 33183 a4f541d 2 API calls 33173->33183 33184 a4f57bc 2 API calls 33173->33184 33185 a4f555c 4 API calls 33173->33185 33186 a4f55bb 4 API calls 33173->33186 33187 a4f5ad7 4 API calls 33173->33187 33188 a4f5515 2 API calls 33173->33188 33189 a4f5434 2 API calls 33173->33189 33190 a4f53f2 2 API calls 33173->33190 33191 a4f58f2 2 API calls 33173->33191 33192 a4f59b0 2 API calls 33173->33192 33175 a4f5022 33175->33127 33176->33175 33177->33175 33178->33175 33179->33175 33180->33175 33181->33175 33182->33175 33183->33175 33184->33175 33185->33175 33186->33175 33187->33175 33188->33175 33189->33175 33190->33175 33191->33175 33192->33175 33294 a4f3b18 33193->33294 33298 a4f3b11 33193->33298 33194 a4f565b 33194->33134 33195 a4f551e 33195->33134 33195->33194 33302 a4f37d9 33195->33302 33306 a4f37e0 33195->33306 33310 a4f3a28 33200->33310 33314 a4f3a20 33200->33314 33201 a4f5560 33205 a4f55a1 33204->33205 33205->33134 33206 a4f5f18 33205->33206 33207 a4f37d9 ResumeThread 33205->33207 33208 a4f37e0 ResumeThread 33205->33208 33206->33134 33207->33205 33208->33205 33210 a4f53fe 33209->33210 33318 a4f3ca5 33210->33318 33322 a4f3cb0 33210->33322 33215 a4f53c7 33214->33215 33216 a4f540b 33214->33216 33218 a4f3ca5 CreateProcessA 33216->33218 33219 a4f3cb0 CreateProcessA 33216->33219 33217 a4f54f6 33217->33134 33218->33217 33219->33217 33221 a4f551e 33220->33221 33221->33134 33222 a4f5f18 33221->33222 33223 a4f37d9 ResumeThread 33221->33223 33224 a4f37e0 ResumeThread 33221->33224 33222->33134 33223->33221 33224->33221 33326 a4f3888 33225->33326 33330 a4f3890 33225->33330 33226 a4f551e 33226->33134 33227 a4f5c70 33226->33227 33228 a4f37d9 ResumeThread 33226->33228 33229 a4f37e0 ResumeThread 33226->33229 33227->33134 33228->33226 33229->33226 33233 a4f55c8 33232->33233 33234 a4f5b9b 33233->33234 33237 a4f3888 Wow64SetThreadContext 33233->33237 33238 a4f3890 Wow64SetThreadContext 33233->33238 33235 a4f55a1 33235->33134 33236 a4f5f18 33235->33236 33239 a4f37d9 ResumeThread 33235->33239 33240 a4f37e0 ResumeThread 33235->33240 33236->33134 33237->33235 33238->33235 33239->33235 33240->33235 33242 a4f55c8 33241->33242 33243 a4f5560 33241->33243 33242->33243 33246 a4f3888 Wow64SetThreadContext 33242->33246 33247 a4f3890 Wow64SetThreadContext 33242->33247 33244 a4f55a1 33244->33134 33245 a4f5f18 33244->33245 33248 a4f37d9 ResumeThread 33244->33248 33249 a4f37e0 ResumeThread 33244->33249 33245->33134 33246->33244 33247->33244 33248->33244 33249->33244 33251 a4f551e 33250->33251 33251->33134 33252 a4f5f18 33251->33252 33253 a4f37d9 ResumeThread 33251->33253 33254 a4f37e0 ResumeThread 33251->33254 33252->33134 33253->33251 33254->33251 33257 a4f53fe 33255->33257 33256 a4f5f67 33256->33134 33257->33256 33259 a4f3ca5 CreateProcessA 33257->33259 33260 a4f3cb0 CreateProcessA 33257->33260 33258 a4f54f6 33258->33134 33259->33258 33260->33258 33262 a4f5a85 33261->33262 33264 a4f3a28 WriteProcessMemory 33262->33264 33265 a4f3a20 WriteProcessMemory 33262->33265 33263 a4f5ab7 33264->33263 33265->33263 33268 a4f55a1 33266->33268 33267 a4f5f18 33267->33134 33268->33134 33268->33267 33269 a4f37d9 ResumeThread 33268->33269 33270 a4f37e0 ResumeThread 33268->33270 33269->33268 33270->33268 33272 a4f5744 33271->33272 33274 a4f3a28 WriteProcessMemory 33272->33274 33275 a4f3a20 WriteProcessMemory 33272->33275 33273 a4f595c 33274->33273 33275->33273 33277 a4f55a1 33276->33277 33277->33134 33278 a4f5f18 33277->33278 33279 a4f37d9 ResumeThread 33277->33279 33280 a4f37e0 ResumeThread 33277->33280 33278->33134 33279->33277 33280->33277 33283 a4f551e 33281->33283 33282 a4f5f18 33282->33134 33283->33134 33283->33282 33284 a4f37d9 ResumeThread 33283->33284 33285 a4f37e0 ResumeThread 33283->33285 33284->33283 33285->33283 33334 a4f3968 33286->33334 33338 a4f3960 33286->33338 33287 a4f5646 33288 a4f5b95 33287->33288 33292 a4f3a28 WriteProcessMemory 33287->33292 33293 a4f3a20 WriteProcessMemory 33287->33293 33289 a4f5ab7 33292->33289 33293->33289 33295 a4f3b63 ReadProcessMemory 33294->33295 33297 a4f3ba7 33295->33297 33297->33195 33299 a4f3b63 ReadProcessMemory 33298->33299 33301 a4f3ba7 33299->33301 33301->33195 33303 a4f37e0 ResumeThread 33302->33303 33305 a4f3851 33303->33305 33305->33195 33307 a4f3820 ResumeThread 33306->33307 33309 a4f3851 33307->33309 33309->33195 33311 a4f3a70 WriteProcessMemory 33310->33311 33313 a4f3ac7 33311->33313 33313->33201 33315 a4f3a70 WriteProcessMemory 33314->33315 33317 a4f3ac7 33315->33317 33317->33201 33319 a4f3d39 CreateProcessA 33318->33319 33321 a4f3efb 33319->33321 33321->33321 33323 a4f3d39 CreateProcessA 33322->33323 33325 a4f3efb 33323->33325 33325->33325 33327 a4f3890 Wow64SetThreadContext 33326->33327 33329 a4f391d 33327->33329 33329->33226 33331 a4f38d5 Wow64SetThreadContext 33330->33331 33333 a4f391d 33331->33333 33333->33226 33335 a4f39a8 VirtualAllocEx 33334->33335 33337 a4f39e5 33335->33337 33337->33287 33339 a4f3968 VirtualAllocEx 33338->33339 33341 a4f39e5 33339->33341 33341->33287 33369 a06b5d8 33370 a06b626 DrawTextExW 33369->33370 33372 a06b67e 33370->33372

                                                                                                                        Executed Functions

                                                                                                                        Function 0A060040 Relevance: 15.7, Strings: 10, Instructions: 3237COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802176029.000000000A060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a060000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: (o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4|cq$4|cq$$^q
                                                                                                                        • API String ID: 0-2723476363
                                                                                                                        • Opcode ID: f47b0936a45956eae55839ce0ad3f86ca869d325ae12f426c743deba91479305
                                                                                                                        • Instruction ID: 1d5315e80b882d1b60f4428efdc3b8378be102d0e3a03d5ec6a5ada107d36052
                                                                                                                        • Opcode Fuzzy Hash: f47b0936a45956eae55839ce0ad3f86ca869d325ae12f426c743deba91479305
                                                                                                                        • Instruction Fuzzy Hash: C5632974A01219DFCB68DF28C898A9DBBB2BF89304F1585D9D449AB361DB31ED81CF50
                                                                                                                        Function 0A06A53C Relevance: 6.9, Strings: 5, Instructions: 623COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1238 a06a53c-a06b9d0 1241 a06b9d6-a06b9db 1238->1241 1242 a06beb3-a06bf1c 1238->1242 1241->1242 1243 a06b9e1-a06b9fe 1241->1243 1250 a06bf23-a06bfab 1242->1250 1249 a06ba04-a06ba08 1243->1249 1243->1250 1251 a06ba17-a06ba1b 1249->1251 1252 a06ba0a-a06ba14 call a06a54c 1249->1252 1294 a06bfb6-a06c036 1250->1294 1253 a06ba1d-a06ba27 call a06a54c 1251->1253 1254 a06ba2a-a06ba31 1251->1254 1252->1251 1253->1254 1260 a06ba37-a06ba67 1254->1260 1261 a06bb4c-a06bb51 1254->1261 1270 a06c236-a06c25c 1260->1270 1273 a06ba6d-a06bb40 call a06a558 * 2 1260->1273 1263 a06bb53-a06bb57 1261->1263 1264 a06bb59-a06bb5e 1261->1264 1263->1264 1267 a06bb60-a06bb64 1263->1267 1268 a06bb70-a06bba0 call a06a564 * 3 1264->1268 1267->1270 1271 a06bb6a-a06bb6d 1267->1271 1268->1294 1295 a06bba6-a06bba9 1268->1295 1282 a06c25e-a06c26a 1270->1282 1283 a06c26c 1270->1283 1271->1268 1273->1261 1302 a06bb42 1273->1302 1287 a06c26f-a06c274 1282->1287 1283->1287 1310 a06c03d-a06c0bf 1294->1310 1295->1294 1297 a06bbaf-a06bbb1 1295->1297 1297->1294 1298 a06bbb7-a06bbec 1297->1298 1309 a06bbf2-a06bbfb 1298->1309 1298->1310 1302->1261 1312 a06bc01-a06bc5b call a06a564 * 2 call a06a574 * 2 1309->1312 1313 a06bd5e-a06bd62 1309->1313 1314 a06c0c7-a06c149 1310->1314 1354 a06bc6d 1312->1354 1355 a06bc5d-a06bc66 1312->1355 1313->1314 1315 a06bd68-a06bd6c 1313->1315 1320 a06c151-a06c17e 1314->1320 1319 a06bd72-a06bd78 1315->1319 1315->1320 1324 a06bd7c-a06bdb1 1319->1324 1325 a06bd7a 1319->1325 1333 a06c185-a06c205 1320->1333 1329 a06bdb8-a06bdbe 1324->1329 1325->1329 1332 a06bdc4-a06bdcc 1329->1332 1329->1333 1337 a06bdd3-a06bdd5 1332->1337 1338 a06bdce-a06bdd2 1332->1338 1389 a06c20c-a06c22e 1333->1389 1343 a06be37-a06be3d 1337->1343 1344 a06bdd7-a06bdfb 1337->1344 1338->1337 1349 a06be3f-a06be5a 1343->1349 1350 a06be5c-a06be8a 1343->1350 1377 a06be04-a06be08 1344->1377 1378 a06bdfd-a06be02 1344->1378 1370 a06be92-a06be9e 1349->1370 1350->1370 1361 a06bc71-a06bc73 1354->1361 1355->1361 1362 a06bc68-a06bc6b 1355->1362 1368 a06bc75 1361->1368 1369 a06bc7a-a06bc7e 1361->1369 1362->1361 1368->1369 1374 a06bc80-a06bc87 1369->1374 1375 a06bc8c-a06bc92 1369->1375 1388 a06bea4-a06beb0 1370->1388 1370->1389 1381 a06bd29-a06bd2d 1374->1381 1382 a06bc94-a06bc9a 1375->1382 1383 a06bc9c-a06bca1 1375->1383 1377->1270 1386 a06be0e-a06be11 1377->1386 1385 a06be14-a06be25 1378->1385 1390 a06bd2f-a06bd49 1381->1390 1391 a06bd4c-a06bd58 1381->1391 1392 a06bca7-a06bcad 1382->1392 1383->1392 1427 a06be27 call a06c2d0 1385->1427 1428 a06be27 call a06c2bf 1385->1428 1386->1385 1389->1270 1390->1391 1391->1312 1391->1313 1397 a06bcb3-a06bcb8 1392->1397 1398 a06bcaf-a06bcb1 1392->1398 1394 a06be2d-a06be35 1394->1370 1403 a06bcba-a06bccc 1397->1403 1398->1403 1406 a06bcd6-a06bcdb 1403->1406 1407 a06bcce-a06bcd4 1403->1407 1410 a06bce1-a06bce8 1406->1410 1407->1410 1414 a06bcee 1410->1414 1415 a06bcea-a06bcec 1410->1415 1418 a06bcf3-a06bcfe 1414->1418 1415->1418 1419 a06bd22 1418->1419 1420 a06bd00-a06bd03 1418->1420 1419->1381 1420->1381 1422 a06bd05-a06bd0b 1420->1422 1423 a06bd12-a06bd1b 1422->1423 1424 a06bd0d-a06bd10 1422->1424 1423->1381 1426 a06bd1d-a06bd20 1423->1426 1424->1419 1424->1423 1426->1381 1426->1419 1427->1394 1428->1394
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802176029.000000000A060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a060000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Hbq$Hbq$Hbq$Hbq$Hbq
                                                                                                                        • API String ID: 0-1677660839
                                                                                                                        • Opcode ID: ab29e12fa25f6f86b0f196f37c3cf765161f9d04bcd26287e90ed0f025ee2406
                                                                                                                        • Instruction ID: 5237e7a91fff5adc6c5c202ee8290a9e732b8853f4edbc3671c85bdf1ffba899
                                                                                                                        • Opcode Fuzzy Hash: ab29e12fa25f6f86b0f196f37c3cf765161f9d04bcd26287e90ed0f025ee2406
                                                                                                                        • Instruction Fuzzy Hash: 84326A70A002588FDB54DFB8C8507AEBBF2BF89304F1485AAD449EB395DB349985CF91
                                                                                                                        Function 0A052BE0 Relevance: 4.1, Strings: 3, Instructions: 330COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1524 a052be0-a052be6 1525 a052c38-a052d1d 1524->1525 1526 a052be8-a052bea 1524->1526 1527 a052d24-a052d62 call a0532a1 1525->1527 1528 a052d1f 1525->1528 1526->1525 1530 a052d68 1527->1530 1528->1527 1531 a052d6f-a052d8b 1530->1531 1532 a052d94-a052d95 1531->1532 1533 a052d8d 1531->1533 1534 a0530eb-a0530f2 1532->1534 1535 a052d9a-a052d9e 1532->1535 1533->1530 1533->1534 1533->1535 1536 a0530a5-a0530b1 1533->1536 1537 a052f47-a052f5c 1533->1537 1538 a052dc7-a052dd9 1533->1538 1539 a052f06-a052f26 1533->1539 1540 a052e66-a052e78 1533->1540 1541 a052f61-a052f6e 1533->1541 1542 a052ea0-a052eac 1533->1542 1543 a052f8d-a052f91 1533->1543 1544 a052fed-a052ff9 1533->1544 1545 a052eef-a052f01 1533->1545 1546 a0530cf-a0530e6 1533->1546 1547 a052f2b-a052f42 1533->1547 1548 a052eca-a052eea 1533->1548 1549 a052e10-a052e28 1533->1549 1550 a052f73-a052f88 1533->1550 1551 a052fbd-a052fc1 1533->1551 1552 a052e7d-a052e9b 1533->1552 1553 a052ddb-a052de4 1533->1553 1554 a05307b-a0530a0 1533->1554 1557 a052db1-a052db8 1535->1557 1558 a052da0-a052daf 1535->1558 1561 a0530b3 1536->1561 1562 a0530b8-a0530ca 1536->1562 1537->1531 1538->1531 1539->1531 1540->1531 1541->1531 1555 a052eb3-a052ec5 1542->1555 1556 a052eae 1542->1556 1563 a052fa4-a052fab 1543->1563 1564 a052f93-a052fa2 1543->1564 1569 a053000-a053016 1544->1569 1570 a052ffb 1544->1570 1545->1531 1546->1531 1547->1531 1548->1531 1565 a052e2f-a052e45 1549->1565 1566 a052e2a 1549->1566 1550->1531 1567 a052fd4-a052fdb 1551->1567 1568 a052fc3-a052fd2 1551->1568 1552->1531 1559 a052df7-a052dfe 1553->1559 1560 a052de6-a052df5 1553->1560 1554->1531 1555->1531 1556->1555 1573 a052dbf-a052dc5 1557->1573 1558->1573 1574 a052e05-a052e0b 1559->1574 1560->1574 1561->1562 1562->1531 1577 a052fb2-a052fb8 1563->1577 1564->1577 1583 a052e47 1565->1583 1584 a052e4c-a052e61 1565->1584 1566->1565 1578 a052fe2-a052fe8 1567->1578 1568->1578 1585 a05301d-a053033 1569->1585 1586 a053018 1569->1586 1570->1569 1573->1531 1574->1531 1577->1531 1578->1531 1583->1584 1584->1531 1589 a053035 1585->1589 1590 a05303a-a053050 1585->1590 1586->1585 1589->1590 1592 a053057-a053076 1590->1592 1593 a053052 1590->1593 1592->1531 1593->1592
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: ry$ry$ry
                                                                                                                        • API String ID: 0-128149707
                                                                                                                        • Opcode ID: bc8d7f3ac10750f6c79793520e58424f3f1fa6d03f3eaa59506f0858384484ed
                                                                                                                        • Instruction ID: 95fae11f92344cbb0290be085b2a4d8ed961b12204fcdf0c97a62312bdca4e88
                                                                                                                        • Opcode Fuzzy Hash: bc8d7f3ac10750f6c79793520e58424f3f1fa6d03f3eaa59506f0858384484ed
                                                                                                                        • Instruction Fuzzy Hash: 81E19C71E0434ADFCB14CFA9D4854EEFBB2FF89340B159455D802AB219D734AA42CFA5
                                                                                                                        Function 0A052C10 Relevance: 4.1, Strings: 3, Instructions: 329COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1596 a052c10-a052d1d 1597 a052d24-a052d62 call a0532a1 1596->1597 1598 a052d1f 1596->1598 1600 a052d68 1597->1600 1598->1597 1601 a052d6f-a052d8b 1600->1601 1602 a052d94-a052d95 1601->1602 1603 a052d8d 1601->1603 1604 a0530eb-a0530f2 1602->1604 1605 a052d9a-a052d9e 1602->1605 1603->1600 1603->1604 1603->1605 1606 a0530a5-a0530b1 1603->1606 1607 a052f47-a052f5c 1603->1607 1608 a052dc7-a052dd9 1603->1608 1609 a052f06-a052f26 1603->1609 1610 a052e66-a052e78 1603->1610 1611 a052f61-a052f6e 1603->1611 1612 a052ea0-a052eac 1603->1612 1613 a052f8d-a052f91 1603->1613 1614 a052fed-a052ff9 1603->1614 1615 a052eef-a052f01 1603->1615 1616 a0530cf-a0530e6 1603->1616 1617 a052f2b-a052f42 1603->1617 1618 a052eca-a052eea 1603->1618 1619 a052e10-a052e28 1603->1619 1620 a052f73-a052f88 1603->1620 1621 a052fbd-a052fc1 1603->1621 1622 a052e7d-a052e9b 1603->1622 1623 a052ddb-a052de4 1603->1623 1624 a05307b-a0530a0 1603->1624 1627 a052db1-a052db8 1605->1627 1628 a052da0-a052daf 1605->1628 1631 a0530b3 1606->1631 1632 a0530b8-a0530ca 1606->1632 1607->1601 1608->1601 1609->1601 1610->1601 1611->1601 1625 a052eb3-a052ec5 1612->1625 1626 a052eae 1612->1626 1633 a052fa4-a052fab 1613->1633 1634 a052f93-a052fa2 1613->1634 1639 a053000-a053016 1614->1639 1640 a052ffb 1614->1640 1615->1601 1616->1601 1617->1601 1618->1601 1635 a052e2f-a052e45 1619->1635 1636 a052e2a 1619->1636 1620->1601 1637 a052fd4-a052fdb 1621->1637 1638 a052fc3-a052fd2 1621->1638 1622->1601 1629 a052df7-a052dfe 1623->1629 1630 a052de6-a052df5 1623->1630 1624->1601 1625->1601 1626->1625 1643 a052dbf-a052dc5 1627->1643 1628->1643 1644 a052e05-a052e0b 1629->1644 1630->1644 1631->1632 1632->1601 1647 a052fb2-a052fb8 1633->1647 1634->1647 1653 a052e47 1635->1653 1654 a052e4c-a052e61 1635->1654 1636->1635 1648 a052fe2-a052fe8 1637->1648 1638->1648 1655 a05301d-a053033 1639->1655 1656 a053018 1639->1656 1640->1639 1643->1601 1644->1601 1647->1601 1648->1601 1653->1654 1654->1601 1659 a053035 1655->1659 1660 a05303a-a053050 1655->1660 1656->1655 1659->1660 1662 a053057-a053076 1660->1662 1663 a053052 1660->1663 1662->1601 1663->1662
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: ry$ry$ry
                                                                                                                        • API String ID: 0-128149707
                                                                                                                        • Opcode ID: aa13ab807bacf0dc7e244abca404ae244d3726fd0f95f4d3c6ab518b67416431
                                                                                                                        • Instruction ID: 7e7da839c60a8ab1f3558422fb88623726e533847ac22589b8cdf08d0f037cfb
                                                                                                                        • Opcode Fuzzy Hash: aa13ab807bacf0dc7e244abca404ae244d3726fd0f95f4d3c6ab518b67416431
                                                                                                                        • Instruction Fuzzy Hash: A0E1AA71E1424ADFCB14CFA9D4854EEFFB2FF89340B199455D802AB219D734AA42CFA4
                                                                                                                        Function 0A052CF8 Relevance: 4.0, Strings: 3, Instructions: 284COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1666 a052cf8-a052d1d 1667 a052d24-a052d62 call a0532a1 1666->1667 1668 a052d1f 1666->1668 1670 a052d68 1667->1670 1668->1667 1671 a052d6f-a052d8b 1670->1671 1672 a052d94-a052d95 1671->1672 1673 a052d8d 1671->1673 1674 a0530eb-a0530f2 1672->1674 1675 a052d9a-a052d9e 1672->1675 1673->1670 1673->1674 1673->1675 1676 a0530a5-a0530b1 1673->1676 1677 a052f47-a052f5c 1673->1677 1678 a052dc7-a052dd9 1673->1678 1679 a052f06-a052f26 1673->1679 1680 a052e66-a052e78 1673->1680 1681 a052f61-a052f6e 1673->1681 1682 a052ea0-a052eac 1673->1682 1683 a052f8d-a052f91 1673->1683 1684 a052fed-a052ff9 1673->1684 1685 a052eef-a052f01 1673->1685 1686 a0530cf-a0530e6 1673->1686 1687 a052f2b-a052f42 1673->1687 1688 a052eca-a052eea 1673->1688 1689 a052e10-a052e28 1673->1689 1690 a052f73-a052f88 1673->1690 1691 a052fbd-a052fc1 1673->1691 1692 a052e7d-a052e9b 1673->1692 1693 a052ddb-a052de4 1673->1693 1694 a05307b-a0530a0 1673->1694 1697 a052db1-a052db8 1675->1697 1698 a052da0-a052daf 1675->1698 1701 a0530b3 1676->1701 1702 a0530b8-a0530ca 1676->1702 1677->1671 1678->1671 1679->1671 1680->1671 1681->1671 1695 a052eb3-a052ec5 1682->1695 1696 a052eae 1682->1696 1703 a052fa4-a052fab 1683->1703 1704 a052f93-a052fa2 1683->1704 1709 a053000-a053016 1684->1709 1710 a052ffb 1684->1710 1685->1671 1686->1671 1687->1671 1688->1671 1705 a052e2f-a052e45 1689->1705 1706 a052e2a 1689->1706 1690->1671 1707 a052fd4-a052fdb 1691->1707 1708 a052fc3-a052fd2 1691->1708 1692->1671 1699 a052df7-a052dfe 1693->1699 1700 a052de6-a052df5 1693->1700 1694->1671 1695->1671 1696->1695 1713 a052dbf-a052dc5 1697->1713 1698->1713 1714 a052e05-a052e0b 1699->1714 1700->1714 1701->1702 1702->1671 1717 a052fb2-a052fb8 1703->1717 1704->1717 1723 a052e47 1705->1723 1724 a052e4c-a052e61 1705->1724 1706->1705 1718 a052fe2-a052fe8 1707->1718 1708->1718 1725 a05301d-a053033 1709->1725 1726 a053018 1709->1726 1710->1709 1713->1671 1714->1671 1717->1671 1718->1671 1723->1724 1724->1671 1729 a053035 1725->1729 1730 a05303a-a053050 1725->1730 1726->1725 1729->1730 1732 a053057-a053076 1730->1732 1733 a053052 1730->1733 1732->1671 1733->1732
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: ry$ry$ry
                                                                                                                        • API String ID: 0-128149707
                                                                                                                        • Opcode ID: ae02adc896056bb0232163fd41a94486e4631da1a4da1931e8f9a5a0baac4f6b
                                                                                                                        • Instruction ID: f5f3176d66e22765e233071af3ae57cf7648219b56b607d5065591d2f3c12711
                                                                                                                        • Opcode Fuzzy Hash: ae02adc896056bb0232163fd41a94486e4631da1a4da1931e8f9a5a0baac4f6b
                                                                                                                        • Instruction Fuzzy Hash: F7C13C74D0520ADFCB14CFA9C4858AEFBB2FF89340F11D555D816AB218D734AA42CF95
                                                                                                                        Function 0A050AF2 Relevance: 4.0, Strings: 3, Instructions: 254COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1736 a050af2-a050bb3 1737 a050bb5 1736->1737 1738 a050bba-a050c14 1736->1738 1737->1738 1741 a050c17 1738->1741 1742 a050c1e-a050c3a 1741->1742 1743 a050c43-a050c44 1742->1743 1744 a050c3c 1742->1744 1745 a050df0-a050e60 1743->1745 1746 a050c49-a050c71 1743->1746 1744->1741 1744->1745 1744->1746 1747 a050c87-a050c8d 1744->1747 1748 a050d46-a050d5b 1744->1748 1749 a050d60-a050d8e 1744->1749 1750 a050cac-a050cb0 1744->1750 1751 a050dcf-a050deb 1744->1751 1752 a050d0b-a050d41 1744->1752 1753 a050d93-a050dae 1744->1753 1754 a050c73-a050c85 1744->1754 1755 a050db3-a050dca 1744->1755 1756 a050cdc-a050d06 1744->1756 1774 a050e62 call a052b37 1745->1774 1775 a050e62 call a051e78 1745->1775 1776 a050e62 call a052ae8 1745->1776 1777 a050e62 call a05214b 1745->1777 1746->1742 1772 a050c8f call a051620 1747->1772 1773 a050c8f call a051440 1747->1773 1748->1742 1749->1742 1757 a050cc3-a050cca 1750->1757 1758 a050cb2-a050cc1 1750->1758 1751->1742 1752->1742 1753->1742 1754->1742 1755->1742 1756->1742 1765 a050cd1-a050cd7 1757->1765 1758->1765 1764 a050c95-a050ca7 1764->1742 1765->1742 1771 a050e68-a050e72 1772->1764 1773->1764 1774->1771 1775->1771 1776->1771 1777->1771
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Te^q$Te^q$z^I
                                                                                                                        • API String ID: 0-2886491258
                                                                                                                        • Opcode ID: f59eff7e2260aa2ed188a61ec97944c3eff29a09320abb150254939b127be293
                                                                                                                        • Instruction ID: 2004b2ba5b7b2083c899296248147d660d8e68152f793dd78ae149483f8977be
                                                                                                                        • Opcode Fuzzy Hash: f59eff7e2260aa2ed188a61ec97944c3eff29a09320abb150254939b127be293
                                                                                                                        • Instruction Fuzzy Hash: B6B13374E002498FCB04CFAAC4846DEBFF2EF8A300F28902AD455AB265D7349946CF64
                                                                                                                        Function 0A050B90 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1778 a050b90-a050bb3 1779 a050bb5 1778->1779 1780 a050bba-a050c14 1778->1780 1779->1780 1783 a050c17 1780->1783 1784 a050c1e-a050c3a 1783->1784 1785 a050c43-a050c44 1784->1785 1786 a050c3c 1784->1786 1787 a050df0-a050e60 1785->1787 1788 a050c49-a050c71 1785->1788 1786->1783 1786->1787 1786->1788 1789 a050c87-a050c8d 1786->1789 1790 a050d46-a050d5b 1786->1790 1791 a050d60-a050d8e 1786->1791 1792 a050cac-a050cb0 1786->1792 1793 a050dcf-a050deb 1786->1793 1794 a050d0b-a050d41 1786->1794 1795 a050d93-a050dae 1786->1795 1796 a050c73-a050c85 1786->1796 1797 a050db3-a050dca 1786->1797 1798 a050cdc-a050d06 1786->1798 1814 a050e62 call a052b37 1787->1814 1815 a050e62 call a051e78 1787->1815 1816 a050e62 call a052ae8 1787->1816 1817 a050e62 call a05214b 1787->1817 1788->1784 1818 a050c8f call a051620 1789->1818 1819 a050c8f call a051440 1789->1819 1790->1784 1791->1784 1799 a050cc3-a050cca 1792->1799 1800 a050cb2-a050cc1 1792->1800 1793->1784 1794->1784 1795->1784 1796->1784 1797->1784 1798->1784 1807 a050cd1-a050cd7 1799->1807 1800->1807 1806 a050c95-a050ca7 1806->1784 1807->1784 1813 a050e68-a050e72 1814->1813 1815->1813 1816->1813 1817->1813 1818->1806 1819->1806
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Te^q$Te^q$z^I
                                                                                                                        • API String ID: 0-2886491258
                                                                                                                        • Opcode ID: a637ab4a8ff93eee32e33f3764e1c00ee39610e8a4fb3e2e596c0604438b2201
                                                                                                                        • Instruction ID: 883e62bf1992991ae5d6394035fd3d36140c78b9c546e9b44581bf96b1e666b5
                                                                                                                        • Opcode Fuzzy Hash: a637ab4a8ff93eee32e33f3764e1c00ee39610e8a4fb3e2e596c0604438b2201
                                                                                                                        • Instruction Fuzzy Hash: D791B274E002199FCB58CFAAC58499EFBB2FF89300F24942AD815BB364D7749945CF64
                                                                                                                        Function 0A059588 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1858 a059588-a0595bd 1859 a0595c4-a0595f5 1858->1859 1860 a0595bf 1858->1860 1861 a0595f6 1859->1861 1860->1859 1862 a0595fd-a059619 1861->1862 1863 a059622-a059623 1862->1863 1864 a05961b 1862->1864 1865 a05988f-a059898 1863->1865 1864->1861 1864->1863 1864->1865 1866 a059684-a0596ab 1864->1866 1867 a0596c7-a0596cd call a0599d8 1864->1867 1868 a0597a3-a0597ca 1864->1868 1869 a059763-a059776 1864->1869 1870 a059842-a059854 1864->1870 1871 a05972c-a059730 1864->1871 1872 a05966c-a05967f 1864->1872 1873 a0597cf-a0597e2 1864->1873 1874 a05980e-a059826 1864->1874 1875 a059628-a05966a 1864->1875 1876 a05982b-a05983d 1864->1876 1877 a059795-a05979e 1864->1877 1878 a059875-a05988a 1864->1878 1879 a059714-a059727 1864->1879 1880 a0596b0-a0596c2 1864->1880 1881 a059859-a059870 1864->1881 1882 a0596f8-a05970f 1864->1882 1883 a05977b-a059790 1864->1883 1866->1862 1893 a0596d3-a0596f3 1867->1893 1868->1862 1869->1862 1870->1862 1884 a059743-a05974a 1871->1884 1885 a059732-a059741 1871->1885 1872->1862 1886 a0597f5-a0597fc 1873->1886 1887 a0597e4-a0597f3 1873->1887 1874->1862 1875->1862 1876->1862 1877->1862 1878->1862 1879->1862 1880->1862 1881->1862 1882->1862 1883->1862 1888 a059751-a05975e 1884->1888 1885->1888 1892 a059803-a059809 1886->1892 1887->1892 1888->1862 1892->1862 1893->1862
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: TuA$UC;"
                                                                                                                        • API String ID: 0-2071649361
                                                                                                                        • Opcode ID: df6a01ae2aca2446634151ba6043b92cecc4cb4cfda43b5ae731d62cc0b2ff52
                                                                                                                        • Instruction ID: bc3b67499d27e5cb0ff18713dacee33bdf66cca23f489d8664bac1545e860536
                                                                                                                        • Opcode Fuzzy Hash: df6a01ae2aca2446634151ba6043b92cecc4cb4cfda43b5ae731d62cc0b2ff52
                                                                                                                        • Instruction Fuzzy Hash: 02A1F774D0520DEFCB18CFAAE5C05AEFBB2EF89350F10942AE815AB264D7749952CF50
                                                                                                                        Function 018C08B3 Relevance: 2.7, Strings: 2, Instructions: 204COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1896 18c08b3-18c08b5 1897 18c0e58-18c0eac 1896->1897 1898 18c08bb-18c08c2 1896->1898 1903 18c0eae-18c0eb4 1897->1903 1904 18c0eb7-18c0ed4 1897->1904 1898->1897 1899 18c08c8-18c08d2 1898->1899 1899->1897 1900 18c08d8-18c08df 1899->1900 1900->1897 1902 18c08e5-18c08ef 1900->1902 1902->1897 1905 18c08f5-18c08fc 1902->1905 1909 18c0ed6-18c0ee0 1904->1909 1910 18c0ee1-18c0f2b call 18c00e4 1904->1910 1905->1897 1906 18c0902-18c0914 1905->1906 1906->1897 1908 18c0890-18c08a4 1906->1908 1911 18c0e3c 1908->1911 1912 18c08aa-18c0925 1908->1912 1909->1910 1918 18c0f30 1910->1918 1944 18c0e3f call 18c092a 1911->1944 1945 18c0e3f call 18c095a 1911->1945 1946 18c0e3f call 18c0f00 1911->1946 1947 18c0e3f call 18c08b3 1911->1947 1912->1908 1915 18c0e45-18c0e57 1920 18c0f35-18c0f4a 1918->1920 1921 18c1020-18c1064 call 18c00f4 1920->1921 1922 18c0f50 1920->1922 1948 18c1066 call 18c1a8c 1921->1948 1949 18c1066 call 18c1e2d 1921->1949 1950 18c1066 call 18c1979 1921->1950 1951 18c1066 call 18c1c0a 1921->1951 1922->1918 1922->1921 1923 18c0f6a-18c0f95 1922->1923 1924 18c0fbb-18c0ff7 1922->1924 1925 18c0fab-18c0fb6 1922->1925 1926 18c0f97-18c0fa9 1922->1926 1927 18c0f57-18c0f5a 1922->1927 1923->1920 1943 18c1000-18c101b 1924->1943 1925->1920 1926->1920 1928 18c0f5c-18c0f61 1927->1928 1929 18c0f63 1927->1929 1931 18c0f68 1928->1931 1929->1931 1931->1920 1942 18c106c-18c1075 1943->1920 1944->1915 1945->1915 1946->1915 1947->1915 1948->1942 1949->1942 1950->1942 1951->1942
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793637764.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_18c0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Te^q$Te^q
                                                                                                                        • API String ID: 0-3743469327
                                                                                                                        • Opcode ID: 8aff0f7f13207ffddde265ca337a72fdcec4304f1ff57b731b8f9a7258c5b14d
                                                                                                                        • Instruction ID: f41dfa15a3460124486a7a2d3a483d5be50a34747439ff4348424370faafb3fe
                                                                                                                        • Opcode Fuzzy Hash: 8aff0f7f13207ffddde265ca337a72fdcec4304f1ff57b731b8f9a7258c5b14d
                                                                                                                        • Instruction Fuzzy Hash: 4981E038A11215CFC7158F28C48456ABBF2FF8AB48B24845EF445DB361CB31DA46CB92
                                                                                                                        Function 018C2290 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793637764.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_18c0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: |-
                                                                                                                        • API String ID: 0-2980719050
                                                                                                                        • Opcode ID: e9c38b0c0da9935f256795425cf2b79e9a65af7c4532fd5183f0117bc0008cc3
                                                                                                                        • Instruction ID: 9e608f87f34221a89156ce66306fa25d505281422547d361a336fd8372b62b6f
                                                                                                                        • Opcode Fuzzy Hash: e9c38b0c0da9935f256795425cf2b79e9a65af7c4532fd5183f0117bc0008cc3
                                                                                                                        • Instruction Fuzzy Hash: 9F71C371604115CFD74ACF68C58042EBBB7FB85B04B46896AE802EF2D6C730EE45CB66
                                                                                                                        Function 0A057F60 Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 5=6
                                                                                                                        • API String ID: 0-2897083178
                                                                                                                        • Opcode ID: 381ff946af5f9011d27c32840f4806eb624a737c2b28cdb9cd16bd97830e63b7
                                                                                                                        • Instruction ID: 2fb7a10ece0860e77b7d0bf31e8f2fe83596530cd81d4e8247fde52bfab0ae81
                                                                                                                        • Opcode Fuzzy Hash: 381ff946af5f9011d27c32840f4806eb624a737c2b28cdb9cd16bd97830e63b7
                                                                                                                        • Instruction Fuzzy Hash: BA712874E0521AAFCB48CFE5D9444AEFBF2FF89200F10992AD41AF7254D7B49A018F65
                                                                                                                        Function 0A051620 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: -2m
                                                                                                                        • API String ID: 0-2686427999
                                                                                                                        • Opcode ID: 79fd0a16af375e0b164fdd8eb1094cc2e8d908dba4ee1bf8f465b51a1c05c435
                                                                                                                        • Instruction ID: e4e1d007aeab1a415a0b9f8af420e636190d499253cd6c8c903a8c026c1080b5
                                                                                                                        • Opcode Fuzzy Hash: 79fd0a16af375e0b164fdd8eb1094cc2e8d908dba4ee1bf8f465b51a1c05c435
                                                                                                                        • Instruction Fuzzy Hash: 25611774E0420ADFCB44DFA9C4805AEFBF2FF89301F24956AD816A7254D7749A41CF50
                                                                                                                        Function 0A051440 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: -2m
                                                                                                                        • API String ID: 0-2686427999
                                                                                                                        • Opcode ID: 80dbcf309f0ef83362ef746bdfb2066712b0bc5e2f3e665a5545b004cfd99a80
                                                                                                                        • Instruction ID: e7a523218421f02aa21ff1726f0c7d2072373b5053ce5dd1fd4ad90900b3b3b2
                                                                                                                        • Opcode Fuzzy Hash: 80dbcf309f0ef83362ef746bdfb2066712b0bc5e2f3e665a5545b004cfd99a80
                                                                                                                        • Instruction Fuzzy Hash: D3513B70D04219DFCB08DFAAD4446AEFBF2EF88301F24D16AD81AA7254E7349941CF65
                                                                                                                        Function 0A06B998 Relevance: .3, Instructions: 281COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802176029.000000000A060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a060000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6299f08e9aa126e4b6354491a5895b9f2daecc6fdc9c10df872bcd601a1b7336
                                                                                                                        • Instruction ID: 34934270b7c2a9a70a8183cc708b04349fa81222536b1d4dea412b7d8139eca6
                                                                                                                        • Opcode Fuzzy Hash: 6299f08e9aa126e4b6354491a5895b9f2daecc6fdc9c10df872bcd601a1b7336
                                                                                                                        • Instruction Fuzzy Hash: A0C159B0E00218DFDF64DFA8C880799BBF2AF89314F14C1AAD449AB255EB70D985CF50
                                                                                                                        Function 018C225B Relevance: .2, Instructions: 193COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793637764.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_18c0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 64df42647a031906610f4f37f58ada53e93a6724536aa404288dc7d1684c8345
                                                                                                                        • Instruction ID: 1377fa15356fc161fd27f4c93d76cdb03cec4b32e89c553622740fdc73adcd2d
                                                                                                                        • Opcode Fuzzy Hash: 64df42647a031906610f4f37f58ada53e93a6724536aa404288dc7d1684c8345
                                                                                                                        • Instruction Fuzzy Hash: B881E471604215CFD74ACF68C58046ABBB3FF85704B56859AE802EF2E5C730EE45CB56
                                                                                                                        Function 0A051E78 Relevance: .1, Instructions: 71COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9efaad9aacd705cb0d4e19ac8ad52c2f53f8ccdef2eb9739d1916eee2c4948c9
                                                                                                                        • Instruction ID: 0f13346517d9c5d125dea4384dd16125a824b7c4ed4984642cc5fd1372502efd
                                                                                                                        • Opcode Fuzzy Hash: 9efaad9aacd705cb0d4e19ac8ad52c2f53f8ccdef2eb9739d1916eee2c4948c9
                                                                                                                        • Instruction Fuzzy Hash: 3D31F771E016188BEB58CFAAD9443DEFBB3BFC8310F14C16AD409AA268DB341A55CF50
                                                                                                                        Function 0A4F3CA5 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A4F3EE6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 963392458-0
                                                                                                                        • Opcode ID: 11693546c7fcf26b3b6080d63317834ac50b4ec3b12eece2cf82d5e74aeb1e2d
                                                                                                                        • Instruction ID: b7d0c6e628f9ef539a1d980282c83b013aa522754ff97c74bd03b5052fd17356
                                                                                                                        • Opcode Fuzzy Hash: 11693546c7fcf26b3b6080d63317834ac50b4ec3b12eece2cf82d5e74aeb1e2d
                                                                                                                        • Instruction Fuzzy Hash: C5A16D71D00619DFDB20CF68C8417EEBBB2BF44314F1485AAE928AB354DB74A985CF91
                                                                                                                        Function 0A4F3CB0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0A4F3EE6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateProcess
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 963392458-0
                                                                                                                        • Opcode ID: 2a85c8c86268c210a3f6152da4964f4315ba77de8bdf943754ec7395a38ee79b
                                                                                                                        • Instruction ID: 39cbe768db99b0840f3959e5f1a04a12df23a67ff835b1cb7f04319930ce90d4
                                                                                                                        • Opcode Fuzzy Hash: 2a85c8c86268c210a3f6152da4964f4315ba77de8bdf943754ec7395a38ee79b
                                                                                                                        • Instruction Fuzzy Hash: 36917E71D00619DFDB10CFA8C8417DEBBB2BF44314F1485AAE928AB344DB74A985CF91
                                                                                                                        Function 018C8D15 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 018C8DD1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793637764.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_18c0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2289755597-0
                                                                                                                        • Opcode ID: 7e15f5b3b1412c6eb54cc9600df019ad035428ec0ae4b1ad21dac061eb0b46dd
                                                                                                                        • Instruction ID: c4a7326862ccdbf211344dd57082394b3835bff5496a7b735c4e4bd54c1ed228
                                                                                                                        • Opcode Fuzzy Hash: 7e15f5b3b1412c6eb54cc9600df019ad035428ec0ae4b1ad21dac061eb0b46dd
                                                                                                                        • Instruction Fuzzy Hash: B641F1B1C0061DDFDB24CFA9C884BDEBBB5BF89704F24806AD408AB255DB756946CF90
                                                                                                                        Function 018C7824 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 018C8DD1
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793637764.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_18c0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Create
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2289755597-0
                                                                                                                        • Opcode ID: b750749c0636b0f9cb11bee68f741b0bd5e675abf1f12598b88a0b17ab27dd1c
                                                                                                                        • Instruction ID: f8c286b61abea9fe9b682741dc305e26b5ee23c6df603889e8d7047fc7b8d212
                                                                                                                        • Opcode Fuzzy Hash: b750749c0636b0f9cb11bee68f741b0bd5e675abf1f12598b88a0b17ab27dd1c
                                                                                                                        • Instruction Fuzzy Hash: A341F1B0C0061DDFDB24CFA9C844B9EBBF5BF4A704F20806AD408AB255DB756945CF90
                                                                                                                        Function 0A06C2D0 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802176029.000000000A060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a060000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFromIconResource
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3668623891-0
                                                                                                                        • Opcode ID: 901d30188ed4054f312aa14eb127b38316f4d262b9096926bf32baf5a82080d5
                                                                                                                        • Instruction ID: 0736c9079a8c2f239a644fc440b34ea0979a3a474b007e12ff7d5b5f9cba0533
                                                                                                                        • Opcode Fuzzy Hash: 901d30188ed4054f312aa14eb127b38316f4d262b9096926bf32baf5a82080d5
                                                                                                                        • Instruction Fuzzy Hash: 243178729043989FDB11CFA9D844AEEBFF8EF49310F14846AE994A7221C3359850DFA1
                                                                                                                        Function 0A4F3A20 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A4F3AB8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3559483778-0
                                                                                                                        • Opcode ID: ead23a44e0b01ffc1e85be2b08b389a46e632260fe2af90be6d77c7a5ddcef6e
                                                                                                                        • Instruction ID: d5973bc1520918b0d5367a23f9d4f865ccb126fa23430e4487a21773ea50b465
                                                                                                                        • Opcode Fuzzy Hash: ead23a44e0b01ffc1e85be2b08b389a46e632260fe2af90be6d77c7a5ddcef6e
                                                                                                                        • Instruction Fuzzy Hash: 9E2159719002499FDB10CFAAC885BEEBBF1FF48310F10882AE569A7350C774A545CF94
                                                                                                                        Function 0A06B5D0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0A06B66F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802176029.000000000A060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a060000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DrawText
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2175133113-0
                                                                                                                        • Opcode ID: 14ca253657c898d59fb24a11bded96c31bd3757dd362aaf392f8fd488b33c6c2
                                                                                                                        • Instruction ID: 0602806a9a2beca612795163c913f4dd09133eba22fb8653ab90bb7225cd44a3
                                                                                                                        • Opcode Fuzzy Hash: 14ca253657c898d59fb24a11bded96c31bd3757dd362aaf392f8fd488b33c6c2
                                                                                                                        • Instruction Fuzzy Hash: 3431D1B5D002099FDB14DF99D884AEEFBF4FB48314F24842AE819A7210D374A544CFA0
                                                                                                                        Function 0A4F3A28 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0A4F3AB8
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3559483778-0
                                                                                                                        • Opcode ID: fa5bfca4f8a536b78ad8204313d3a37b9252ba27211fd7232da19d95fe8ecff4
                                                                                                                        • Instruction ID: 46a68a4c9c4224c54168c1b93572c752f3ad1cdf7a2ebfe0464eba189a01092a
                                                                                                                        • Opcode Fuzzy Hash: fa5bfca4f8a536b78ad8204313d3a37b9252ba27211fd7232da19d95fe8ecff4
                                                                                                                        • Instruction Fuzzy Hash: 072117B59003599FDB10CFAAC845BDEBBF5FB48310F10842AE568A7250D778A544CBA4
                                                                                                                        Function 0A06B5D8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0A06B66F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802176029.000000000A060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a060000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DrawText
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2175133113-0
                                                                                                                        • Opcode ID: 4252cb84c062575bb1db682c61a7fbc38444ba111ec18db32ea272098bf12424
                                                                                                                        • Instruction ID: 02f0d85aa76280e79ecb15e9fe015e42a96338e7e3a3f0146b445a0bb195021c
                                                                                                                        • Opcode Fuzzy Hash: 4252cb84c062575bb1db682c61a7fbc38444ba111ec18db32ea272098bf12424
                                                                                                                        • Instruction Fuzzy Hash: 2E21CCB5D003099FDB10DF9AD884AAEFBF5FB48324F14842AE919A7210D774A944CFA4
                                                                                                                        Function 0A4F3888 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A4F390E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 983334009-0
                                                                                                                        • Opcode ID: 2ea16e6a83fbfe5832c3bd471a1cbf52e07e7f3d0f167f7422601ef160575181
                                                                                                                        • Instruction ID: 0251d8b377317c06f284010b415912973c329351a1262d83efb659034522e4ac
                                                                                                                        • Opcode Fuzzy Hash: 2ea16e6a83fbfe5832c3bd471a1cbf52e07e7f3d0f167f7422601ef160575181
                                                                                                                        • Instruction Fuzzy Hash: 122128B59003098FDB10DFAAC485BEEBBF4EB49314F14842AD569A7241C778A985CFA4
                                                                                                                        Function 0A4F3B18 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A4F3B98
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1726664587-0
                                                                                                                        • Opcode ID: d9d3bc650858e2dae694f57a06220a0c9df399d8950d4df2872b71d8facd0347
                                                                                                                        • Instruction ID: 2f272b0677aa38fec59f4bdb25d6850f8311ca1c1ce2b25686d09a7b000bfed7
                                                                                                                        • Opcode Fuzzy Hash: d9d3bc650858e2dae694f57a06220a0c9df399d8950d4df2872b71d8facd0347
                                                                                                                        • Instruction Fuzzy Hash: 1A2116B18003599FCB10DFAAC845BEEFBF5FF48310F10882AE559A7251C778A544CBA5
                                                                                                                        Function 0A4F3890 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0A4F390E
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 983334009-0
                                                                                                                        • Opcode ID: f00367a298d34cd187bf68a61d7a37293e7a953a3c96b332ac9b658e5ec12ab1
                                                                                                                        • Instruction ID: 9380fb7abead39e4f5d8050da461aa0257f0905165cad7b02796fefba8867c62
                                                                                                                        • Opcode Fuzzy Hash: f00367a298d34cd187bf68a61d7a37293e7a953a3c96b332ac9b658e5ec12ab1
                                                                                                                        • Instruction Fuzzy Hash: 7F2109759003098FDB10DFAAC4857EEBBF4EB48314F14842AD569A7241C778A945CFA5
                                                                                                                        Function 0A4F3B11 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0A4F3B98
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 1726664587-0
                                                                                                                        • Opcode ID: 0fb12ff9ce619f70c762af6dc44b6006a6cdd76c63c72af04575ab685109450e
                                                                                                                        • Instruction ID: 272c8e8d9a20f5ba6fcd5e95a8b4b7644f60501a42932c667813548f77fcecf7
                                                                                                                        • Opcode Fuzzy Hash: 0fb12ff9ce619f70c762af6dc44b6006a6cdd76c63c72af04575ab685109450e
                                                                                                                        • Instruction Fuzzy Hash: 172139B18002598FCB10DF99C985BDEBBF1FF48310F10842AE519A7251C738A544CFA4
                                                                                                                        Function 0A4F3960 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A4F39D6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4275171209-0
                                                                                                                        • Opcode ID: 7c9e7db3ee59484d6d081a4376f1cbc67e75f8be92e0c80601981f21b72f0e9d
                                                                                                                        • Instruction ID: 3c60ffd1406587efaafc161b6826426d11ef148f46a1d4d3164c70b44eb0690d
                                                                                                                        • Opcode Fuzzy Hash: 7c9e7db3ee59484d6d081a4376f1cbc67e75f8be92e0c80601981f21b72f0e9d
                                                                                                                        • Instruction Fuzzy Hash: 36115C719002499FCB10DF99C845BDFBFF5EF48324F10841AD565A7250C775A540CFA4
                                                                                                                        Function 0A057B8A Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A057C03
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ProtectVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 544645111-0
                                                                                                                        • Opcode ID: efe776288478bbd52d7b817e47b49121581e7bcd38588b0cfa549a7f8b5e1648
                                                                                                                        • Instruction ID: 0199706f9f061e3e602c7d9209cdc430e6a365d35a0f74706c81c8dfd6884871
                                                                                                                        • Opcode Fuzzy Hash: efe776288478bbd52d7b817e47b49121581e7bcd38588b0cfa549a7f8b5e1648
                                                                                                                        • Instruction Fuzzy Hash: 9A21F4B5900249DFCB10CF9AC485BDEFBF4AB48320F10842AE858A7251D378A544CFA5
                                                                                                                        Function 0A06A584 Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0A06C2EA,?,?,?,?,?), ref: 0A06C38F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802176029.000000000A060000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A060000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a060000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: CreateFromIconResource
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3668623891-0
                                                                                                                        • Opcode ID: 716b3bd1376e6511cf8b253ffef9207a2d43375679f3f20a9ba37903bd7105ab
                                                                                                                        • Instruction ID: 659f79fbb49f229d087911b596e82252fa8e908cf20f911c0b74530ebe9d045a
                                                                                                                        • Opcode Fuzzy Hash: 716b3bd1376e6511cf8b253ffef9207a2d43375679f3f20a9ba37903bd7105ab
                                                                                                                        • Instruction Fuzzy Hash: 071137B580035D9FDB10CFAAC844BEEBFF8EB48324F14841AE954A7210C379A954DFA4
                                                                                                                        Function 0A057B90 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0A057C03
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ProtectVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 544645111-0
                                                                                                                        • Opcode ID: 036af14ca8317f13625e2c8abad00e1fb86fae79e0df2b6684f0e49fec86a217
                                                                                                                        • Instruction ID: fdfd7697b0963c57bee9d165513d4a17d36cd35711a124b067e3ba97e9129282
                                                                                                                        • Opcode Fuzzy Hash: 036af14ca8317f13625e2c8abad00e1fb86fae79e0df2b6684f0e49fec86a217
                                                                                                                        • Instruction Fuzzy Hash: 6021D3B5900249DFCB10DFAAC985BDEFBF4EB49320F108429E958A7251D378A544CFA5
                                                                                                                        Function 0A4F3968 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0A4F39D6
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: AllocVirtual
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4275171209-0
                                                                                                                        • Opcode ID: ed04a4569a3550456b557fc1978626d04246567302ec110340d4892329ce2065
                                                                                                                        • Instruction ID: 5c46458821c77dd31a9ccc334b2f8a79bfd015e05d98fed6c0b3b0711d560fe2
                                                                                                                        • Opcode Fuzzy Hash: ed04a4569a3550456b557fc1978626d04246567302ec110340d4892329ce2065
                                                                                                                        • Instruction Fuzzy Hash: E11129759002499FCB10DFA9C845BDFBFF5EB88320F10881AD565A7250C775A544CFA4
                                                                                                                        Function 0A4F37D9 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ResumeThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 947044025-0
                                                                                                                        • Opcode ID: 40d24afea02425cc814324a3ebf7ce76fcc41653010040046704baed9a536815
                                                                                                                        • Instruction ID: 1c5bb4a00ca1c4ededbd6eb275e1a60f216833a1000f0206a775180523d39db9
                                                                                                                        • Opcode Fuzzy Hash: 40d24afea02425cc814324a3ebf7ce76fcc41653010040046704baed9a536815
                                                                                                                        • Instruction Fuzzy Hash: 771128B5D003488BDB10DFAAC4457DEFBF4EB88324F20882AD569A7250C779A944CF94
                                                                                                                        Function 0A4F37E0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: ResumeThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 947044025-0
                                                                                                                        • Opcode ID: 1f41a7c3be2ef317cacdf7ff2841ac456172a2f38f7ebedc8c52daa22cddce90
                                                                                                                        • Instruction ID: ce9cb6f9c31ad73ae18d8f625284a91561aa48f6b570e3bc1a833afec8ca3073
                                                                                                                        • Opcode Fuzzy Hash: 1f41a7c3be2ef317cacdf7ff2841ac456172a2f38f7ebedc8c52daa22cddce90
                                                                                                                        • Instruction Fuzzy Hash: A31128B59003488BDB10DFAAC4457DEFBF4EB88324F20882AD569A7250C779A544CF94
                                                                                                                        Function 0A4F05B4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A4F665D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 410705778-0
                                                                                                                        • Opcode ID: 71077e8b3fba1d093712c1c152666a4e28cea1e5e54cf8ff33ef6e397e8d3763
                                                                                                                        • Instruction ID: 19de331bcdf55c0f38b68aa5054c49973a140becb21e2909e6d96b791d02114e
                                                                                                                        • Opcode Fuzzy Hash: 71077e8b3fba1d093712c1c152666a4e28cea1e5e54cf8ff33ef6e397e8d3763
                                                                                                                        • Instruction Fuzzy Hash: CA11F5B58003489FDB10DF99D845BDEFBF8EB49310F10881AE568A7210C375A944CFA5
                                                                                                                        Function 018CE500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 018CE566
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793637764.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_18c0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: HandleModule
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 4139908857-0
                                                                                                                        • Opcode ID: 856261e7335dffcdd9d1a89d54589d56aada6e970ec257e7337e48dd786cc344
                                                                                                                        • Instruction ID: e38be4f7142389588a11da007c8cf111995a841f995d79fa78b84ac1e15aaf6c
                                                                                                                        • Opcode Fuzzy Hash: 856261e7335dffcdd9d1a89d54589d56aada6e970ec257e7337e48dd786cc344
                                                                                                                        • Instruction Fuzzy Hash: FE11FDB6C002498BDB10CF9AC444A9EFFF4AB88720F10842AD528A7610D379A645CFA1
                                                                                                                        Function 0A4F65FA Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 0A4F665D
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: MessagePost
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 410705778-0
                                                                                                                        • Opcode ID: 5580b9b2c89600bce3a627b9b1e81831da88cfc8690a787a0397bab294632ff3
                                                                                                                        • Instruction ID: 53126b8b2f69d81303a82192e6cd00953b5d6a7fb79c6965b8e62b3207630609
                                                                                                                        • Opcode Fuzzy Hash: 5580b9b2c89600bce3a627b9b1e81831da88cfc8690a787a0397bab294632ff3
                                                                                                                        • Instruction Fuzzy Hash: 481133B58003888FDB10CF99C889BEEFFF4EB58310F14845AE568A7211C375A944CFA4
                                                                                                                        Function 0187D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793228579.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_187d000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 800e42d7d937f8951e0f7342578f8eabf281ea0597382c1200c6d8b79821b8a1
                                                                                                                        • Instruction ID: 82ce3dac609880fcb79af6b539ca3a709621ad848d6c5f99ea70abd42b22afde
                                                                                                                        • Opcode Fuzzy Hash: 800e42d7d937f8951e0f7342578f8eabf281ea0597382c1200c6d8b79821b8a1
                                                                                                                        • Instruction Fuzzy Hash: 5F213771614204DFDB01DF98D5C0B26BBA5FF84328F24C66DD9098B252C336E547CA61
                                                                                                                        Function 0187D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793228579.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_187d000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2afbbc0797a91dde9bdf4f6a24e5b1e36085ad3a4c58e075e8ad9c0978904854
                                                                                                                        • Instruction ID: b00ca8b3eb4ab34becde0120ad060e154d5bb409d0c459551f4401536e09464e
                                                                                                                        • Opcode Fuzzy Hash: 2afbbc0797a91dde9bdf4f6a24e5b1e36085ad3a4c58e075e8ad9c0978904854
                                                                                                                        • Instruction Fuzzy Hash: F9212271604204DFCB16DF58D9C4B26BFA5EF84318F20C66DD80A8B256C33AD547CA61
                                                                                                                        Function 0187D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793228579.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_187d000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                        • Instruction ID: 7912cb0c55922cb99894247c516513731acca7d2f5e342e5bb316293b42c038e
                                                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                        • Instruction Fuzzy Hash: E611BE75504280CFDB12CF54D5C4B15BF61FB44314F24C6AAD8098B656C33AD50ACB61
                                                                                                                        Function 0187D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793228579.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_187d000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                        • Instruction ID: 630e0163aedaca3a22d407a1e6d9cf340468ad7ae5aeee7c7a772fbaf2203c76
                                                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                        • Instruction Fuzzy Hash: 8B11BB75504280DFDB02CF54C5C4B15BFA2FF84324F28C6AADC498B296C33AE40ACB61
                                                                                                                        Function 0186D745 Relevance: .0, Instructions: 45COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793067568.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_186d000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 4a0e9261167aa9301ff336edf8b730f650caa552e0751a83e960ab09d21ca5f1
                                                                                                                        • Instruction ID: f427e7787e09cac67abfb51b3e551c9246182dd6d1de854ddc33b032215788f5
                                                                                                                        • Opcode Fuzzy Hash: 4a0e9261167aa9301ff336edf8b730f650caa552e0751a83e960ab09d21ca5f1
                                                                                                                        • Instruction Fuzzy Hash: BA012B312083849AE7104E69CD84B67FFDCDF41324F08CA2AED488E286C27DD940CBB2
                                                                                                                        Function 0186D744 Relevance: .0, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793067568.000000000186D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0186D000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_186d000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f4c49cdcad5546949c1f355eaadd7632215cab58e6018bff2c8bb68563c4abe9
                                                                                                                        • Instruction ID: 3fe321fb95e25294f9ad755a2ef17fd52bcf8e2375be4b8a98e2b85f3bda7d0f
                                                                                                                        • Opcode Fuzzy Hash: f4c49cdcad5546949c1f355eaadd7632215cab58e6018bff2c8bb68563c4abe9
                                                                                                                        • Instruction Fuzzy Hash: 93F062715083849AE7118E1ADC88B62FFACEB81734F18C55AED484A286C2799844CBB1

                                                                                                                        Non-executed Functions

                                                                                                                        Function 0A05A43A Relevance: 1.6, Strings: 1, Instructions: 330COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: {#L
                                                                                                                        • API String ID: 0-1361971085
                                                                                                                        • Opcode ID: 5eb66b3a712f4ff3c5534c16a4c4fa040f06487ffca064242732303b2510f0bc
                                                                                                                        • Instruction ID: d861d78c5073b595c42017220a5c975658aeac43e83dd32103ecbb853dbc6977
                                                                                                                        • Opcode Fuzzy Hash: 5eb66b3a712f4ff3c5534c16a4c4fa040f06487ffca064242732303b2510f0bc
                                                                                                                        • Instruction Fuzzy Hash: A2D10270E05259DFCB18CFEAD98859EFBF2BF88350F14D52AD419AB224DB7499428F10
                                                                                                                        Function 0A0539E0 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: l|
                                                                                                                        • API String ID: 0-1955549514
                                                                                                                        • Opcode ID: fb121c1143feb38ed1afb255348b55125f6f3fa84bf58b42258b8b1613f63c80
                                                                                                                        • Instruction ID: e00fff8840ed375e0aa0501207ca7c416465a5a81c86c1437ab264876f468815
                                                                                                                        • Opcode Fuzzy Hash: fb121c1143feb38ed1afb255348b55125f6f3fa84bf58b42258b8b1613f63c80
                                                                                                                        • Instruction Fuzzy Hash: 81717EB4E0520EAFCB08CFA9C4914AFFBB2FF88240F14D569D805AB215D7749A41CF52
                                                                                                                        Function 0A0518D9 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 98R
                                                                                                                        • API String ID: 0-576591972
                                                                                                                        • Opcode ID: d4cb120d5034e2a4e65d01994f7e55d7356706243db01ffff9900b5b23b2222c
                                                                                                                        • Instruction ID: 0bbb5fc8348746be2ff9b4ca99386230befd0c88a917a7d24f81a4a1cf7d81f8
                                                                                                                        • Opcode Fuzzy Hash: d4cb120d5034e2a4e65d01994f7e55d7356706243db01ffff9900b5b23b2222c
                                                                                                                        • Instruction Fuzzy Hash: 8A711774E0520EEFCB18DFA9D581AAEFBB1FB89310F148529D815AB314D3749A42CF94
                                                                                                                        Function 0A058559 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: iUfo
                                                                                                                        • API String ID: 0-3820436262
                                                                                                                        • Opcode ID: f5f93de5af35d5e77f21d765dd5c6404674ad6f72c01a5e88ca3a61f9bc0fe49
                                                                                                                        • Instruction ID: 480cce5b269b6e5d58000d1619e13f37296c59ea0cd1780f7adcfb44bc191a8b
                                                                                                                        • Opcode Fuzzy Hash: f5f93de5af35d5e77f21d765dd5c6404674ad6f72c01a5e88ca3a61f9bc0fe49
                                                                                                                        • Instruction Fuzzy Hash: 3A5102B4E052199FCB18CFA9D9455AEFBF2BF88300F10802AD805F7250E7B49A05CF65
                                                                                                                        Function 0A058568 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: iUfo
                                                                                                                        • API String ID: 0-3820436262
                                                                                                                        • Opcode ID: 421aecd8a0cfa3683664e445c669715d7e164fbf7a4b98f49962300ed701059c
                                                                                                                        • Instruction ID: 55ea6167f9b5faac462c9b8904839dcf907d744f6c12cbc34fd5aeb32b6e8313
                                                                                                                        • Opcode Fuzzy Hash: 421aecd8a0cfa3683664e445c669715d7e164fbf7a4b98f49962300ed701059c
                                                                                                                        • Instruction Fuzzy Hash: 7951F2B4E052199FCB14CFA9D9845AEFBF2BF88300F10D42AD805B7254E7749A45CF55
                                                                                                                        Function 0A058950 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: w7e^
                                                                                                                        • API String ID: 0-1657886525
                                                                                                                        • Opcode ID: 507989b1b77e7caa58c11edc976c45b64191e13606784e7016ac9f056b053620
                                                                                                                        • Instruction ID: 3de81acedb58646ed4a8bfddf8f8b9ab0e0538c130e127a60f0488f1099400e2
                                                                                                                        • Opcode Fuzzy Hash: 507989b1b77e7caa58c11edc976c45b64191e13606784e7016ac9f056b053620
                                                                                                                        • Instruction Fuzzy Hash: F7413570D0520ADFDB14CFA6D8416EEFBF1BB89201F18D46AC801B7254D3788646DF59
                                                                                                                        Function 0A058960 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: w7e^
                                                                                                                        • API String ID: 0-1657886525
                                                                                                                        • Opcode ID: 2448c9b6fcac265fe98a6650a9a46360f09fec35b0d7d180dc9fe62ea87f8e2a
                                                                                                                        • Instruction ID: b4117b67047829c189c37170ed2e01dd7cabca6ee1fac5fc89ee1b5aaa70c6fa
                                                                                                                        • Opcode Fuzzy Hash: 2448c9b6fcac265fe98a6650a9a46360f09fec35b0d7d180dc9fe62ea87f8e2a
                                                                                                                        • Instruction Fuzzy Hash: 5B4112B0D0520DEBCB04CFAAD9406EEFBB1BB89201F18D42AC816B7254D3784646CF69
                                                                                                                        Function 0A055458 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0ni
                                                                                                                        • API String ID: 0-1488673370
                                                                                                                        • Opcode ID: 6b07677d2609ce6516083b49c84072a6a02089efb931dceef6ddd5b8565b54db
                                                                                                                        • Instruction ID: 44f415586c02e76b8522f275a6d4b8f9c8e83fe4f8184801bf851d5e8c9adc9e
                                                                                                                        • Opcode Fuzzy Hash: 6b07677d2609ce6516083b49c84072a6a02089efb931dceef6ddd5b8565b54db
                                                                                                                        • Instruction Fuzzy Hash: 1D513971E056188BDB58DF6B9D4579EFAF3AFC8300F14C5BA950CA6224DB301A868F51
                                                                                                                        Function 0A055454 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0ni
                                                                                                                        • API String ID: 0-1488673370
                                                                                                                        • Opcode ID: 8fd8392251a842cbe4d25fc2f162590f71c32bd009617c8d08687a079952c830
                                                                                                                        • Instruction ID: b4cc7fa2e10388fbd838341da68d200200e5b11ba0c2da73a12a4caeb0fb2fd7
                                                                                                                        • Opcode Fuzzy Hash: 8fd8392251a842cbe4d25fc2f162590f71c32bd009617c8d08687a079952c830
                                                                                                                        • Instruction Fuzzy Hash: 3C412871E016188BEB58CF6B9D4579EFBF3AFC8300F14C1BA950DA6224DB341A868F51
                                                                                                                        Function 0A4F1070 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 968f9ec6502257e431f4b014d7ab29cb169f39f6192ccc5f94c9203656e5ca0d
                                                                                                                        • Instruction ID: 2d55ad0aaa68824a6dec40660ee1d773778ee79e5304b87546a102db853c6eec
                                                                                                                        • Opcode Fuzzy Hash: 968f9ec6502257e431f4b014d7ab29cb169f39f6192ccc5f94c9203656e5ca0d
                                                                                                                        • Instruction Fuzzy Hash: 91E1D874E00119CFDB14CFA9C5909AEBBB2FF89304F24965AE914AB356D730AD42CF61
                                                                                                                        Function 0A4F18E0 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 30af851dab400c80388a094bfc6c4e68a29166ca215dc1aeb1a64c3814c622fa
                                                                                                                        • Instruction ID: 72e3943dc5ea2fa62857cc24e4934a92370a1d49c04866def0218d5c9bdb163c
                                                                                                                        • Opcode Fuzzy Hash: 30af851dab400c80388a094bfc6c4e68a29166ca215dc1aeb1a64c3814c622fa
                                                                                                                        • Instruction Fuzzy Hash: F5E1E774E00159CFCB14CFA9C5909AEBBB2FF89304F24966AD519AB356D730AD42CF60
                                                                                                                        Function 0A4F2FB8 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f93a92cd1781c7abd9be9afd068e3738b626d37457cc6afa16f30fa9ff0e4e8b
                                                                                                                        • Instruction ID: ee3ef003722389190fe2b5fbc22030a79e326823043712be5ed1e227f927115d
                                                                                                                        • Opcode Fuzzy Hash: f93a92cd1781c7abd9be9afd068e3738b626d37457cc6afa16f30fa9ff0e4e8b
                                                                                                                        • Instruction Fuzzy Hash: 78E1C774E001198FCB14CFA9C5809AEBBF2FF89304F24956AD925AB356DB31AD41CF61
                                                                                                                        Function 0A4F14A8 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 009b37364894a4a0b7470ab6a0aa417bdc56469dbeaaabc72d96dd7901e7013d
                                                                                                                        • Instruction ID: be0c4f06f1dc8bc28c3395fec726f25c36d8ab40c783f3aa562bbd99698e9680
                                                                                                                        • Opcode Fuzzy Hash: 009b37364894a4a0b7470ab6a0aa417bdc56469dbeaaabc72d96dd7901e7013d
                                                                                                                        • Instruction Fuzzy Hash: D5E1C674E00119CBDB14CFA9C5809AEFBF2EF89304F24966AD519AB356D730AD42CF61
                                                                                                                        Function 0A4F1D18 Relevance: .3, Instructions: 312COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 74f22d1c2305e17234036d5d07ebda5e8a09fcb9cbe06cec3d4a0fb82f114c71
                                                                                                                        • Instruction ID: 18d1c65a1cbd54e50511f942fd787d3ae884d91f43e56ccbd61ba8b708decb22
                                                                                                                        • Opcode Fuzzy Hash: 74f22d1c2305e17234036d5d07ebda5e8a09fcb9cbe06cec3d4a0fb82f114c71
                                                                                                                        • Instruction Fuzzy Hash: 4BE1D674E101198FCB14CFA9C5809AEBBF2FF89304F24966AE514AB356D734AD42CF61
                                                                                                                        Function 0A053BC8 Relevance: .3, Instructions: 307COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3ca11ec77f4894d2c373eda8c40bcb0a5143be8881b54aac2ea49f34f062360d
                                                                                                                        • Instruction ID: cd4200c38bed17fcc517773bc76d5756e1b579150cf55bf21d0d3051ba2950c7
                                                                                                                        • Opcode Fuzzy Hash: 3ca11ec77f4894d2c373eda8c40bcb0a5143be8881b54aac2ea49f34f062360d
                                                                                                                        • Instruction Fuzzy Hash: D1D13574A1520ADFCB04CFA9D59589EFBF2FF89340F249569E805EB221D330AA41CF52
                                                                                                                        Function 0A059E88 Relevance: .3, Instructions: 263COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 99aff5ada87c000ab0ef4e87e45b088c2b358bc4326bf6cade509c2cb44f66ee
                                                                                                                        • Instruction ID: 0d71c3d4e4b385f751b4d6c7b1d2880147d7935da1dc0c5b6d82dfcba08b442d
                                                                                                                        • Opcode Fuzzy Hash: 99aff5ada87c000ab0ef4e87e45b088c2b358bc4326bf6cade509c2cb44f66ee
                                                                                                                        • Instruction Fuzzy Hash: 71B1D575D05209DFCF68CFAAD98069EFBB2BF89340F20942AD419AB254D7749A06CF10
                                                                                                                        Function 0A053BD8 Relevance: .2, Instructions: 196COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1c763512261d1b8a047a4247b5de72148528bfa7213dc837b14d5f0cddcccb7e
                                                                                                                        • Instruction ID: 67e88da453c66e260abb63b547a4e5af74a4922f889d8f20e49c770acae20f8d
                                                                                                                        • Opcode Fuzzy Hash: 1c763512261d1b8a047a4247b5de72148528bfa7213dc837b14d5f0cddcccb7e
                                                                                                                        • Instruction Fuzzy Hash: 6491F174A1421ADFCB04CFA9D58489EFBF2FF89350F249569E415AB320D330AA42CF51
                                                                                                                        Function 0A054FD8 Relevance: .2, Instructions: 194COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3a604b31c1e3d3da4df0406d48e2de55195c62144f87df35573c533434656ca7
                                                                                                                        • Instruction ID: 843b24ec03229686e4ef1b508422baaf495a9affd52fdd33a2906b3dfefbd73f
                                                                                                                        • Opcode Fuzzy Hash: 3a604b31c1e3d3da4df0406d48e2de55195c62144f87df35573c533434656ca7
                                                                                                                        • Instruction Fuzzy Hash: 0581F474E15609DFCF04CFA9C9805DEFBF2FB89310F24A42AD815B7214D375AA428BA4
                                                                                                                        Function 0A058D11 Relevance: .2, Instructions: 187COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8fc4da1a26d513a17a30d1c231ea98956bf0ddc4588e72143bb9761df92e62ed
                                                                                                                        • Instruction ID: 9dccc812496b38ae48172e4d6651a7a7a043c5e5dbd1a351497b20dadf5105f0
                                                                                                                        • Opcode Fuzzy Hash: 8fc4da1a26d513a17a30d1c231ea98956bf0ddc4588e72143bb9761df92e62ed
                                                                                                                        • Instruction Fuzzy Hash: A881F974E10259CFCB54CFA9C5809AEFBF2FB89305F24D5A9D818A7216D7309A41CF61
                                                                                                                        Function 0A054FE8 Relevance: .2, Instructions: 173COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 81bc2db45873ac9d7d39a42e14b8025ec494e4e5a22174da0efbc82a3f8da9c0
                                                                                                                        • Instruction ID: 93baee848a9700fa4fb7e825d9791561b6cf367820a4c41c9371cefc056e2b0c
                                                                                                                        • Opcode Fuzzy Hash: 81bc2db45873ac9d7d39a42e14b8025ec494e4e5a22174da0efbc82a3f8da9c0
                                                                                                                        • Instruction Fuzzy Hash: 5771F474E1560DDFCF14CFA9C9809DEFBF2EB89310F24A42AD905BB214D375AA418B64
                                                                                                                        Function 0A054DD2 Relevance: .1, Instructions: 139COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 27fbbf5af7bbf734c1d1e21e39ab26724fce0f116164873ac836d89687dad08c
                                                                                                                        • Instruction ID: 99ea6e4d631fb6e2662895c3ae5ac202f2c0843434bf00d53ed3db00941dec4a
                                                                                                                        • Opcode Fuzzy Hash: 27fbbf5af7bbf734c1d1e21e39ab26724fce0f116164873ac836d89687dad08c
                                                                                                                        • Instruction Fuzzy Hash: 43510570E0460EDFCB48CFAAD4905EEFBF2FB89200F14C46AD815A7254D7759A828F94
                                                                                                                        Function 0A4F18D1 Relevance: .1, Instructions: 135COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c0660e63e7c93768cf83e90f6182e3eec9ea2ddc23d6ff0c8a5033872feb976a
                                                                                                                        • Instruction ID: 71946f51f59cdc1507f7b34a1087388fb58a3eab1949713d95572414fcf54105
                                                                                                                        • Opcode Fuzzy Hash: c0660e63e7c93768cf83e90f6182e3eec9ea2ddc23d6ff0c8a5033872feb976a
                                                                                                                        • Instruction Fuzzy Hash: 0E51D974E002198BDB14CFA9C5809AEFBF2EF89304F24966AD518A7316D7319E41CFA1
                                                                                                                        Function 0A4F1498 Relevance: .1, Instructions: 134COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1803159496.000000000A4F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A4F0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a4f0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 986c6a45a423f80f8e8f9c61483c42688bd6a5131cbc84d531700fa914c5beab
                                                                                                                        • Instruction ID: 376db94f1ceed69ddf17b003e613c4b1041e55b0e7c5ea619bf99776edad83a0
                                                                                                                        • Opcode Fuzzy Hash: 986c6a45a423f80f8e8f9c61483c42688bd6a5131cbc84d531700fa914c5beab
                                                                                                                        • Instruction Fuzzy Hash: 5951F974E002198BDB14CFA9C9845AEFBF2FF89304F24966AD518A7316D7319D42CF61
                                                                                                                        Function 0A055268 Relevance: .1, Instructions: 114COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 41ec3c256ab3f8ced2b8e8493e431fa05e323685a954e7c47dc5211aaa2ea5c3
                                                                                                                        • Instruction ID: e5162b8cfd21a1ad173b39a98894865503743094eb48af10117cfb2916678b07
                                                                                                                        • Opcode Fuzzy Hash: 41ec3c256ab3f8ced2b8e8493e431fa05e323685a954e7c47dc5211aaa2ea5c3
                                                                                                                        • Instruction Fuzzy Hash: 244119B0E0520ADFCB44CFA9C4815AEFBF2EF89300F14D46AC819F7215D774AA418B55
                                                                                                                        Function 018C134A Relevance: .1, Instructions: 112COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1793637764.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_18c0000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 9944857c82f0bd66611ec23c2abec6eff981c502cb4262fb491d3afa1454b472
                                                                                                                        • Instruction ID: 7ad6d2a69a70183e3169ec9fc1cfb3dbcba4cb8366114d673eb81c7c65fde1d3
                                                                                                                        • Opcode Fuzzy Hash: 9944857c82f0bd66611ec23c2abec6eff981c502cb4262fb491d3afa1454b472
                                                                                                                        • Instruction Fuzzy Hash: C1419F75B04219CFCB14CEA9D4D45BEFBFBEB88714F25806AE505E7652D634CE028B90
                                                                                                                        Function 0A055278 Relevance: .1, Instructions: 108COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 026f2cb08db2a54f5e7e3254b47bb09871c08ec0a01cd861456b9388b377f3fc
                                                                                                                        • Instruction ID: b409df0b03aa0a5a94dd5d59933e69f6576d04f7f42e1a8f5843960e6c6d0ae6
                                                                                                                        • Opcode Fuzzy Hash: 026f2cb08db2a54f5e7e3254b47bb09871c08ec0a01cd861456b9388b377f3fc
                                                                                                                        • Instruction Fuzzy Hash: F541F9B0E0520EDBCB44CFA9C9815AEFBF2FF89300F24D569D819B7214D774AA418B95
                                                                                                                        Function 0A058228 Relevance: .1, Instructions: 106COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3c80d45a4b948481b7727946d4e10ba7e9a4746cf287502ec04c45ddc8043f68
                                                                                                                        • Instruction ID: a316b0f07533f6925b2ce4767f8b4034f5ba927a9436c0ac3a916b3c8edb87fa
                                                                                                                        • Opcode Fuzzy Hash: 3c80d45a4b948481b7727946d4e10ba7e9a4746cf287502ec04c45ddc8043f68
                                                                                                                        • Instruction Fuzzy Hash: BC414970E0A60EDFCB54CFA6D5416AFFBF2AB98300F20D46AC805B7264E77487058B94
                                                                                                                        Function 0A058222 Relevance: .1, Instructions: 103COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 07c7efbd20a2157d52638165c81db3980125ebaf976bceb7ee846ca4b5145b74
                                                                                                                        • Instruction ID: 3885019b44af9775d2d9398052b518cecf4f7fbe2b98c0fd5ef00a66b309f761
                                                                                                                        • Opcode Fuzzy Hash: 07c7efbd20a2157d52638165c81db3980125ebaf976bceb7ee846ca4b5145b74
                                                                                                                        • Instruction Fuzzy Hash: 11411870E0660EDFCB54CFA6D5416AFFBF2AB98300F20D46AC805B7264E77497458B94
                                                                                                                        Function 0A054DE0 Relevance: .1, Instructions: 101COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 4ba835da79b12c0ff0cd052022279f11366d3157527ce46b6262f6909e9f64ad
                                                                                                                        • Instruction ID: e0ee4f23800da7089f9eab1987a3355bdc2aecd86bfe3dda5bacd5c803048400
                                                                                                                        • Opcode Fuzzy Hash: 4ba835da79b12c0ff0cd052022279f11366d3157527ce46b6262f6909e9f64ad
                                                                                                                        • Instruction Fuzzy Hash: 4041B6B0E0560EDBCB48CFAAD4815EEFBF2AB88200F14D46AD815A7254D7759A818F94
                                                                                                                        Function 0A050006 Relevance: .1, Instructions: 69COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: edc36e0ec4fa5c9f408546ce42fda80c07317c778dd96c35876736d274335ef8
                                                                                                                        • Instruction ID: 345bd4552b85d2ac35096a51ba4c84a92e75abc76de8e773d3d868bde0c65f08
                                                                                                                        • Opcode Fuzzy Hash: edc36e0ec4fa5c9f408546ce42fda80c07317c778dd96c35876736d274335ef8
                                                                                                                        • Instruction Fuzzy Hash: 98210371E097589FD749CF6B881069EBFF3AFCA300F09C0B7C448A6266D63405558B11
                                                                                                                        Function 0A050040 Relevance: .1, Instructions: 59COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000000.00000002.1802088040.000000000A050000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A050000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_0_2_a050000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 8b5a4d713559bd84db31ab5e926404f011491b349ea55f5e3c6ac869ff338f79
                                                                                                                        • Instruction ID: 8d290e4d54151fba650ae79a591d32562763888732c4bbd90ad599abfef355e9
                                                                                                                        • Opcode Fuzzy Hash: 8b5a4d713559bd84db31ab5e926404f011491b349ea55f5e3c6ac869ff338f79
                                                                                                                        • Instruction Fuzzy Hash: 1711E971E006189BEB58CFABD80069EFAF7AFC8300F04C07AC91CB6224EB7406568F51

                                                                                                                        Execution Graph

                                                                                                                        Execution Coverage:12.1%
                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                        Signature Coverage:21.7%
                                                                                                                        Total number of Nodes:69
                                                                                                                        Total number of Limit Nodes:12
                                                                                                                        execution_graph 31391 5449e78 31392 5449ebe GetCurrentProcess 31391->31392 31394 5449f10 GetCurrentThread 31392->31394 31395 5449f09 31392->31395 31396 5449f46 31394->31396 31397 5449f4d GetCurrentProcess 31394->31397 31395->31394 31396->31397 31400 5449f83 31397->31400 31398 5449fab GetCurrentThreadId 31399 5449fdc 31398->31399 31400->31398 31401 544a4c8 DuplicateHandle 31402 544a55e 31401->31402 31403 4e613a8 31404 4e613af 31403->31404 31406 4e613b5 31403->31406 31404->31406 31407 4e61736 31404->31407 31409 4e60ab8 31404->31409 31407->31406 31408 4e60ab8 2 API calls 31407->31408 31408->31407 31410 4e60aca 31409->31410 31412 4e60acf 31409->31412 31410->31407 31411 4e60d18 LdrInitializeThunk 31415 4e60da9 31411->31415 31412->31410 31412->31411 31413 4e60e69 31413->31407 31414 4e611f9 LdrInitializeThunk 31414->31413 31415->31413 31415->31414 31416 e746d8 31417 e746e4 31416->31417 31420 e79249 31417->31420 31418 e74713 31421 e7924c 31420->31421 31428 e79480 31421->31428 31435 e7946f 31421->31435 31422 e79270 31442 4e65acb 31422->31442 31447 4e65ad8 31422->31447 31423 e7929a 31423->31418 31429 e794a2 31428->31429 31430 e7956e 31429->31430 31434 4e60ab8 2 API calls 31429->31434 31451 4e610bc 31429->31451 31457 4e60aa8 31429->31457 31466 4e60cd8 31429->31466 31430->31422 31434->31430 31436 e794a2 31435->31436 31437 e7956e 31436->31437 31438 4e610bc 3 API calls 31436->31438 31439 4e60cd8 4 API calls 31436->31439 31440 4e60aa8 4 API calls 31436->31440 31441 4e60ab8 2 API calls 31436->31441 31437->31422 31438->31437 31439->31437 31440->31437 31441->31437 31443 4e65aaf 31442->31443 31444 4e65acf 31442->31444 31443->31423 31445 4e60cd8 4 API calls 31444->31445 31446 4e65c0c 31444->31446 31445->31446 31446->31423 31448 4e65afa 31447->31448 31449 4e60cd8 4 API calls 31448->31449 31450 4e65c0c 31448->31450 31449->31450 31450->31423 31455 4e60f73 31451->31455 31452 4e610b4 LdrInitializeThunk 31454 4e61211 31452->31454 31454->31430 31455->31452 31456 4e60ab8 2 API calls 31455->31456 31456->31455 31460 4e60aac 31457->31460 31458 4e60aca 31458->31430 31459 4e60d18 LdrInitializeThunk 31465 4e60da9 31459->31465 31460->31458 31460->31459 31461 4e60e69 31461->31430 31462 4e610b4 LdrInitializeThunk 31462->31461 31464 4e60ab8 2 API calls 31464->31465 31465->31461 31465->31462 31465->31464 31467 4e60d09 LdrInitializeThunk 31466->31467 31473 4e60da9 31467->31473 31469 4e60e69 31469->31430 31470 4e610b4 LdrInitializeThunk 31470->31469 31472 4e60ab8 2 API calls 31472->31473 31473->31469 31473->31470 31473->31472

                                                                                                                        Executed Functions

                                                                                                                        Function 00E7C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: N
                                                                                                                        • API String ID: 0-1130791706
                                                                                                                        • Opcode ID: 0bdd7fc33ba2e65523871c7c0a6e08aba5ed2ff76cfdcb013a08b0ad15f1f820
                                                                                                                        • Instruction ID: a554e5f3c14e620f506aceb59cb7d6bc7e4ff7f3071e2ae95a475affec04c52c
                                                                                                                        • Opcode Fuzzy Hash: 0bdd7fc33ba2e65523871c7c0a6e08aba5ed2ff76cfdcb013a08b0ad15f1f820
                                                                                                                        • Instruction Fuzzy Hash: 3273D531D10B5A8EDB11EF68C854A99FBB1FF99300F51D69AE44877221EB70AAC4CF41
                                                                                                                        Function 04E60AB8 Relevance: 3.5, APIs: 2, Instructions: 530libraryCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2058 4e60ab8-4e60ac8 2059 4e60acf-4e60adb 2058->2059 2060 4e60aca 2058->2060 2063 4e60ae2-4e60af7 2059->2063 2064 4e60add 2059->2064 2061 4e60bfb-4e60c05 2060->2061 2067 4e60afd-4e60b08 2063->2067 2068 4e60c0b-4e60c4b 2063->2068 2064->2061 2071 4e60c06 2067->2071 2072 4e60b0e-4e60b15 2067->2072 2084 4e60c52-4e60cc8 2068->2084 2071->2068 2073 4e60b17-4e60b2e 2072->2073 2074 4e60b42-4e60b4d 2072->2074 2083 4e60b34-4e60b37 2073->2083 2073->2084 2079 4e60b4f-4e60b57 2074->2079 2080 4e60b5a-4e60b64 2074->2080 2079->2080 2087 4e60bee-4e60bf3 2080->2087 2088 4e60b6a-4e60b74 2080->2088 2083->2071 2089 4e60b3d-4e60b40 2083->2089 2116 4e60cca 2084->2116 2117 4e60d18-4e60da4 LdrInitializeThunk 2084->2117 2087->2061 2088->2071 2094 4e60b7a-4e60b96 2088->2094 2089->2073 2089->2074 2100 4e60b9a-4e60b9d 2094->2100 2101 4e60b98 2094->2101 2103 4e60ba4-4e60ba7 2100->2103 2104 4e60b9f-4e60ba2 2100->2104 2101->2061 2105 4e60baa-4e60bb8 2103->2105 2104->2105 2105->2071 2109 4e60bba-4e60bc1 2105->2109 2109->2061 2110 4e60bc3-4e60bc9 2109->2110 2110->2071 2111 4e60bcb-4e60bd0 2110->2111 2111->2071 2113 4e60bd2-4e60be5 2111->2113 2113->2071 2118 4e60be7-4e60bea 2113->2118 2120 4e60cd0 2116->2120 2121 4e60ccc-4e60cce 2116->2121 2119 4e60e43-4e60e49 2117->2119 2118->2110 2123 4e60bec 2118->2123 2124 4e60e4f-4e60e67 2119->2124 2125 4e60da9-4e60dbc 2119->2125 2122 4e60cd4-4e60d07 2120->2122 2121->2120 2121->2122 2126 4e60d0e-4e60d15 2122->2126 2127 4e60d09 2122->2127 2123->2061 2130 4e60e7b-4e60e8e 2124->2130 2131 4e60e69-4e60e76 2124->2131 2128 4e60dc3-4e60e14 2125->2128 2129 4e60dbe 2125->2129 2126->2117 2127->2126 2148 4e60e16-4e60e24 2128->2148 2149 4e60e27-4e60e39 2128->2149 2129->2128 2132 4e60e95-4e60eb1 2130->2132 2133 4e60e90 2130->2133 2134 4e61211-4e6130f 2131->2134 2136 4e60eb3 2132->2136 2137 4e60eb8-4e60edc 2132->2137 2133->2132 2139 4e61317-4e61321 2134->2139 2140 4e61311-4e61316 2134->2140 2136->2137 2144 4e60ee3-4e60f15 2137->2144 2145 4e60ede 2137->2145 2140->2139 2153 4e60f17 2144->2153 2154 4e60f1c-4e60f5e 2144->2154 2145->2144 2148->2124 2150 4e60e40 2149->2150 2151 4e60e3b 2149->2151 2150->2119 2151->2150 2153->2154 2156 4e60f65-4e60f6e 2154->2156 2157 4e60f60 2154->2157 2158 4e61196-4e6119c 2156->2158 2157->2156 2159 4e611a2-4e611b5 2158->2159 2160 4e60f73-4e60f98 2158->2160 2163 4e611b7 2159->2163 2164 4e611bc-4e611d7 2159->2164 2161 4e60f9f-4e60fd6 2160->2161 2162 4e60f9a 2160->2162 2172 4e60fdd-4e6100f 2161->2172 2173 4e60fd8 2161->2173 2162->2161 2163->2164 2165 4e611de-4e611f2 2164->2165 2166 4e611d9 2164->2166 2170 4e611f4 2165->2170 2171 4e611f9-4e6120f LdrInitializeThunk 2165->2171 2166->2165 2170->2171 2171->2134 2175 4e61073-4e61086 2172->2175 2176 4e61011-4e61036 2172->2176 2173->2172 2177 4e6108d-4e610b2 2175->2177 2178 4e61088 2175->2178 2179 4e6103d-4e6106b 2176->2179 2180 4e61038 2176->2180 2183 4e610b4-4e610b5 2177->2183 2184 4e610c1-4e610f9 2177->2184 2178->2177 2179->2175 2180->2179 2183->2159 2185 4e61100-4e61161 call 4e60ab8 2184->2185 2186 4e610fb 2184->2186 2192 4e61163 2185->2192 2193 4e61168-4e6118c 2185->2193 2186->2185 2192->2193 2196 4e61193 2193->2196 2197 4e6118e 2193->2197 2196->2158 2197->2196
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InitializeThunk
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2994545307-0
                                                                                                                        • Opcode ID: b0f194e8358b422448315530d03b45177191a9f9ddbd1505b02f0b3a77ca8162
                                                                                                                        • Instruction ID: 7a623a38b756cba65694550176adc83169e018cd66a58de6bd8486768cb6d2f1
                                                                                                                        • Opcode Fuzzy Hash: b0f194e8358b422448315530d03b45177191a9f9ddbd1505b02f0b3a77ca8162
                                                                                                                        • Instruction Fuzzy Hash: 4B224B74E00228CFDB14DFA9C984B9DBBB2BF88344F1095A9E409AB355DB35AD85CF50
                                                                                                                        Function 00E727B9 Relevance: 3.2, Strings: 2, Instructions: 691COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2857 e727b9-e727e4 2858 e727e6-e72804 2857->2858 2859 e72805-e72858 2857->2859 2858->2859 2861 e7287a-e728f0 2859->2861 2862 e7285a-e72878 2859->2862 2863 e72912-e72918 2861->2863 2864 e728f2-e72910 2861->2864 2862->2861 2865 e7293c 2863->2865 2866 e7291a-e7292c 2863->2866 2864->2863 2867 e7295e-e72978 2865->2867 2868 e7293e-e7294d 2865->2868 2869 e7294e-e72955 2866->2869 2870 e7292e-e72934 2866->2870 2872 e7299a-e7299d 2867->2872 2873 e7297a-e7297c 2867->2873 2868->2869 2871 e72956-e7295c 2869->2871 2870->2871 2874 e72936-e7293a 2870->2874 2871->2867 2875 e7299e-e729a1 2872->2875 2873->2875 2876 e7297e-e72980 2873->2876 2874->2865 2877 e729a2-e729a4 2875->2877 2876->2877 2878 e72982-e72984 2876->2878 2879 e729a6-e729a8 2877->2879 2878->2879 2880 e72986-e72988 2878->2880 2881 e729aa-e72a54 2879->2881 2880->2881 2882 e7298a-e72999 2880->2882 2884 e72a56-e72a77 2881->2884 2885 e72a79-e72b38 2881->2885 2882->2872 2884->2885 2886 e72b5d-e72c50 2885->2886 2887 e72b3a-e72b5b 2885->2887 2888 e72c77-e72c7a 2886->2888 2889 e72c52-e72c67 2886->2889 2887->2886 2890 e72c7e-e72c82 2888->2890 2891 e72c7c 2888->2891 2889->2888 2893 e72c86-e72ca1 2890->2893 2894 e72c84 2890->2894 2891->2890 2896 e72ca3-e72ca5 2893->2896 2897 e72cb2-e72cba 2893->2897 2894->2893 2898 e72ca7-e72ca9 2896->2898 2899 e72cab-e72cb0 2896->2899 2900 e72cbc-e72cca 2897->2900 2898->2900 2899->2900 2903 e72ce0-e72ce8 2900->2903 2904 e72ccc-e72cce 2900->2904 2907 e72ceb-e72cee 2903->2907 2905 e72cd7-e72cde 2904->2905 2906 e72cd0-e72cd5 2904->2906 2905->2907 2906->2907 2909 e72d05-e72d09 2907->2909 2910 e72cf0-e72cfe 2907->2910 2911 e72d22-e72d25 2909->2911 2912 e72d0b-e72d19 2909->2912 2910->2909 2916 e72d00 2910->2916 2914 e72d27-e72d2b 2911->2914 2915 e72d2d-e72d62 2911->2915 2912->2911 2921 e72d1b 2912->2921 2914->2915 2918 e72d64-e72d7b 2914->2918 2923 e72dc4-e72dc9 2915->2923 2916->2909 2919 e72d81-e72d8d 2918->2919 2920 e72d7d-e72d7f 2918->2920 2924 e72d97-e72da1 2919->2924 2925 e72d8f-e72d95 2919->2925 2920->2923 2921->2911 2926 e72da9-e72dbd 2924->2926 2927 e72da3 2924->2927 2925->2926 2926->2923 2927->2926
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Xbq$Xbq
                                                                                                                        • API String ID: 0-1243427068
                                                                                                                        • Opcode ID: 47f6a79db68665e007cf6930218b02c11adf1fe3c2195c603b678726df4af7cd
                                                                                                                        • Instruction ID: 6f8ee8a1543fdfb8c86d0790334ef2784bcdf9ba2945f0eb993bf5c986d719af
                                                                                                                        • Opcode Fuzzy Hash: 47f6a79db68665e007cf6930218b02c11adf1fe3c2195c603b678726df4af7cd
                                                                                                                        • Instruction Fuzzy Hash: 54128F62F982E58FF717953A08AD2F0EBE156AD304F48C96DD8C3C3445F75C468B8A19
                                                                                                                        Function 00E72DD1 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 2933 e72dd1-e72ded 2934 e72df6-e72e06 2933->2934 2935 e72def-e72df1 2933->2935 2937 e72e0d-e72e1d 2934->2937 2938 e72e08 2934->2938 2936 e73094-e7309b 2935->2936 2940 e72e23-e72e31 2937->2940 2941 e7307b-e73089 2937->2941 2938->2936 2944 e72e37 2940->2944 2945 e7309c-e73119 2940->2945 2941->2945 2946 e7308b-e7308f call e702a8 2941->2946 2944->2945 2947 e72f67-e72f8f 2944->2947 2948 e72ea2-e72ec3 2944->2948 2949 e73001-e7302d 2944->2949 2950 e7302f-e7304a call e702b8 2944->2950 2951 e7306f-e73079 2944->2951 2952 e72eee-e72f0f 2944->2952 2953 e7304c-e7306d call e718c8 2944->2953 2954 e72ec8-e72ee9 2944->2954 2955 e72fd6-e72ffc 2944->2955 2956 e72e55-e72e76 2944->2956 2957 e72f14-e72f35 2944->2957 2958 e72f94-e72fd1 2944->2958 2959 e72e3e-e72e50 2944->2959 2960 e72e7b-e72e9d 2944->2960 2961 e72f3a-e72f62 2944->2961 2946->2936 2947->2936 2948->2936 2949->2936 2950->2936 2951->2936 2952->2936 2953->2936 2954->2936 2955->2936 2956->2936 2957->2936 2958->2936 2959->2936 2960->2936 2961->2936
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Xbq$$^q
                                                                                                                        • API String ID: 0-1593437937
                                                                                                                        • Opcode ID: 9153ea24b87111f275b263f9aa81251d69f1d2315ef432e9d5b882133e9dd2f8
                                                                                                                        • Instruction ID: 2a1013b5255ce130fdfd8057b2663fffadccf9ac0030f5acdd7a1e123e681536
                                                                                                                        • Opcode Fuzzy Hash: 9153ea24b87111f275b263f9aa81251d69f1d2315ef432e9d5b882133e9dd2f8
                                                                                                                        • Instruction Fuzzy Hash: C491D670B00258CFDB58EB78885867EBBB3BFC4700B19C92DD04AF7294DE3589029781
                                                                                                                        Function 04E60CD8 Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InitializeThunk
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2994545307-0
                                                                                                                        • Opcode ID: 4974e189d2f5537b22d04913be9de72c1e4d3b6eaa84e99140a1a0d48ca923cd
                                                                                                                        • Instruction ID: ab53bd84489e40f85c148d026850ae0a90cea08171eccc6106247a37d6592645
                                                                                                                        • Opcode Fuzzy Hash: 4974e189d2f5537b22d04913be9de72c1e4d3b6eaa84e99140a1a0d48ca923cd
                                                                                                                        • Instruction Fuzzy Hash: 9D31E8B1D016189BEB18CFAAD8847DDFBF2BF88314F14D16AE419A72A4DB705945CF10
                                                                                                                        Function 054460D8 Relevance: .7, Instructions: 709COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e2d56402445ae7ae5d428c8198199287d8b40329dec1b7f65d4421538338df37
                                                                                                                        • Instruction ID: 3e31960b578c49501dd0624655749fd74b7ea2e47132f1bc9504cbb62a87ed26
                                                                                                                        • Opcode Fuzzy Hash: e2d56402445ae7ae5d428c8198199287d8b40329dec1b7f65d4421538338df37
                                                                                                                        • Instruction Fuzzy Hash: 7372BE74E052288FEB64DF69C984BEDBBB2BB49300F1491EAD409A7355DB309E81CF50
                                                                                                                        Function 04E65AD8 Relevance: .3, Instructions: 296COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 84fffca49b7dd9a26f0236ac78041fb80171fded580241fbe04f65c96e6bc950
                                                                                                                        • Instruction ID: ab9df55ab495e583f80efa02d226e16d4b5f7c924cb80c1c6a11b58d3c97130c
                                                                                                                        • Opcode Fuzzy Hash: 84fffca49b7dd9a26f0236ac78041fb80171fded580241fbe04f65c96e6bc950
                                                                                                                        • Instruction Fuzzy Hash: FFE1C274E01218CFEB64DFA5D944B9DBBB2BF89304F2081AAD409BB395DB355A85CF10
                                                                                                                        Function 00E79480 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c45b2a0818dcc10920cf6ea7f6f6050dbd2a27881c5219559aacb867c060e526
                                                                                                                        • Instruction ID: 1e1eb668f8cc48c7bb6e077c9ee0156b569a510b038f947ae241a63e6f5171d3
                                                                                                                        • Opcode Fuzzy Hash: c45b2a0818dcc10920cf6ea7f6f6050dbd2a27881c5219559aacb867c060e526
                                                                                                                        • Instruction Fuzzy Hash: 00C19074E01218CFDB14DFA5D994B9DBBB2BF88300F2085AAD809AB355DB359E85CF11
                                                                                                                        Function 00E7C521 Relevance: .2, Instructions: 227COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e8cf45e5d20a9d1492438c9e8a10ea1f65ab764182147f92bd23df6604c886a5
                                                                                                                        • Instruction ID: c7ac1f8219343d2bf5630a61fb673afa20ba3a6a279ea58a2015a52e4e4eedfc
                                                                                                                        • Opcode Fuzzy Hash: e8cf45e5d20a9d1492438c9e8a10ea1f65ab764182147f92bd23df6604c886a5
                                                                                                                        • Instruction Fuzzy Hash: 5EA10471D016198EDB14DFA9C8446DDFBB1EF89304F14D2AAE418BB261EB70AA85CF41
                                                                                                                        Function 00E79A30 Relevance: .2, Instructions: 224COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d7b685d0f6bd9f4e6600268dfbc2d1dee192897a14f72e4f2cdd2347c42b7460
                                                                                                                        • Instruction ID: d35695b31ba57f3d56af15655d8d4b445438b7f3775be2747b564a2938e1f7a0
                                                                                                                        • Opcode Fuzzy Hash: d7b685d0f6bd9f4e6600268dfbc2d1dee192897a14f72e4f2cdd2347c42b7460
                                                                                                                        • Instruction Fuzzy Hash: 2BA10470D002088FEB14DFA9D994BDDBBB1FF89304F209269E409A73A1DB759985CF54
                                                                                                                        Function 00E79A40 Relevance: .2, Instructions: 220COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1717c9a5f9dace5d56f00df016421c8d735c1dd6e49c2604db1ebfff7a6fa73e
                                                                                                                        • Instruction ID: e011dd343f2fdfdb3dc785cc529914a2913fd2e212e200b99e97b83fb1b95d24
                                                                                                                        • Opcode Fuzzy Hash: 1717c9a5f9dace5d56f00df016421c8d735c1dd6e49c2604db1ebfff7a6fa73e
                                                                                                                        • Instruction Fuzzy Hash: 22A10470D002088FDB24DFA9D994BDDBBB1FF49304F209269E409A73A2DB749985CF55
                                                                                                                        Function 00E79D87 Relevance: .2, Instructions: 202COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e9fab7d74bc4a9ee4d19c6d931ac838a093f2ceef7f9857c56fec047557ab501
                                                                                                                        • Instruction ID: d8c2fb6d07e80f0d74675a1203d11fb477f5ab631d3b84e2c8deeb7e80887eab
                                                                                                                        • Opcode Fuzzy Hash: e9fab7d74bc4a9ee4d19c6d931ac838a093f2ceef7f9857c56fec047557ab501
                                                                                                                        • Instruction Fuzzy Hash: F091E270900208CFDB20DFA8D998BDCBBB1FF49314F249269E509BB292DB759985CF15
                                                                                                                        Function 00E7946F Relevance: .1, Instructions: 102COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e9ce5baf0395e308b2002b4d678177c5b885d6d5e7bd9b0e800bebd4d7125a1f
                                                                                                                        • Instruction ID: a8c6cbbdbab66189b733ee3c5f1568fa58e1e8c33965ef50a41e2cea34d994e1
                                                                                                                        • Opcode Fuzzy Hash: e9ce5baf0395e308b2002b4d678177c5b885d6d5e7bd9b0e800bebd4d7125a1f
                                                                                                                        • Instruction Fuzzy Hash: 5241E574D01208CBEB18CFA6D8546DDBBF2AF88300F24D12AD419BB355EB385946CF50
                                                                                                                        Function 00E70B30 Relevance: 7.7, Strings: 6, Instructions: 200COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: LR^q$\v$\v$\v$\v$\v
                                                                                                                        • API String ID: 0-931508885
                                                                                                                        • Opcode ID: 2d14c0ea6c29167e63342e21489123c1abb353f20cc6ff248ae3776dc6ec5de2
                                                                                                                        • Instruction ID: e04330b40e6b406976c88d4eafc7efa2d8b9fcf77f9013f0e740af041c0970c2
                                                                                                                        • Opcode Fuzzy Hash: 2d14c0ea6c29167e63342e21489123c1abb353f20cc6ff248ae3776dc6ec5de2
                                                                                                                        • Instruction Fuzzy Hash: 47A1BA74A05209CFCF45EFA8E995D9DBBB1FB88304B105629E405AB379DB70AD46CF80
                                                                                                                        Function 00E7B500 Relevance: 6.6, Strings: 5, Instructions: 392COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1139 e7b500-e7b509 1140 e7b512-e7b515 1139->1140 1141 e7b50b-e7b510 1139->1141 1142 e7b517-e7b51c 1140->1142 1143 e7b51e-e7b521 1140->1143 1144 e7b54a-e7b54d 1141->1144 1142->1144 1145 e7b523-e7b528 1143->1145 1146 e7b52a-e7b52d 1143->1146 1145->1144 1147 e7b536-e7b539 1146->1147 1148 e7b52f-e7b534 1146->1148 1149 e7b542-e7b545 1147->1149 1150 e7b53b-e7b540 1147->1150 1148->1144 1151 e7b547 1149->1151 1152 e7b54e-e7b5aa 1149->1152 1150->1144 1151->1144 1159 e7b5b0-e7b5be 1152->1159 1160 e7b5ac 1152->1160 1161 e7b5c3-e7b5d2 call e7b4a8 1159->1161 1160->1159 1164 e7b5d4-e7b5ef 1161->1164 1165 e7b61b-e7b61e 1161->1165 1164->1165 1177 e7b5f1-e7b5f5 1164->1177 1166 e7b634-e7b640 1165->1166 1167 e7b620-e7b626 1165->1167 1172 e7b667-e7b668 1166->1172 1173 e7b642 1166->1173 1167->1161 1169 e7b628 1167->1169 1171 e7b62a-e7b631 1169->1171 1178 e7b66f-e7b675 1172->1178 1179 e7b66a-e7b66d 1172->1179 1175 e7b644-e7b646 1173->1175 1176 e7b648-e7b663 1173->1176 1175->1176 1176->1178 1180 e7b665 1176->1180 1181 e7b5f7-e7b5fc 1177->1181 1182 e7b5fe-e7b607 1177->1182 1184 e7b677-e7b67a 1178->1184 1185 e7b689-e7b6bd call e7ab68 1178->1185 1179->1178 1183 e7b6c0-e7b718 1179->1183 1180->1172 1181->1171 1182->1165 1186 e7b609-e7b612 1182->1186 1193 e7b71f-e7b79f 1183->1193 1184->1185 1187 e7b67c-e7b67e 1184->1187 1186->1165 1189 e7b614-e7b619 1186->1189 1187->1185 1190 e7b680-e7b683 1187->1190 1189->1171 1190->1185 1190->1193 1211 e7b7a1-e7b7a5 1193->1211 1212 e7b7bf-e7b7da 1193->1212 1256 e7b7a8 call e7b500 1211->1256 1257 e7b7a8 call e7b4ff 1211->1257 1258 e7b7a8 call e7b89d 1211->1258 1259 e7b7a8 call e7b869 1211->1259 1217 e7b7e0-e7b7e2 1212->1217 1218 e7b7dc 1212->1218 1213 e7b7ab-e7b7bc 1221 e7b7e4-e7b7e6 1217->1221 1222 e7b7e8-e7b803 1217->1222 1219 e7b804-e7b815 1218->1219 1220 e7b7de 1218->1220 1224 e7b817-e7b81e 1219->1224 1225 e7b820-e7b829 1219->1225 1220->1217 1220->1221 1221->1222 1222->1219 1226 e7b83b-e7b844 1224->1226 1227 e7b834 1225->1227 1228 e7b82b-e7b832 1225->1228 1229 e7b84a-e7b867 1226->1229 1230 e7b8d8-e7b8dc 1226->1230 1227->1226 1228->1226 1232 e7b8e5-e7b901 1229->1232 1260 e7b8df call e7b9e9 1230->1260 1261 e7b8df call e7b9f8 1230->1261 1235 e7b903-e7b906 1232->1235 1236 e7b908-e7b962 call e7ab78 1232->1236 1235->1236 1237 e7b96a-e7b973 1235->1237 1236->1237 1238 e7b975-e7b978 1237->1238 1239 e7b97a-e7b9b0 1237->1239 1238->1239 1241 e7b9df-e7b9e5 1238->1241 1239->1241 1251 e7b9b2-e7b9d7 call e7ab88 1239->1251 1251->1241 1256->1213 1257->1213 1258->1213 1259->1213 1260->1232 1261->1232
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 8cq$Hbq$Hbq$Hbq$TJcq
                                                                                                                        • API String ID: 0-1895975235
                                                                                                                        • Opcode ID: cdf610c6932f8f4d37e9fc705267894e24a5c728c9c24396349f8ecabc8b5c3b
                                                                                                                        • Instruction ID: 85baef12e9963c4e58260822696612c7262fbf54b5bca4a1dcf84919a3246afe
                                                                                                                        • Opcode Fuzzy Hash: cdf610c6932f8f4d37e9fc705267894e24a5c728c9c24396349f8ecabc8b5c3b
                                                                                                                        • Instruction Fuzzy Hash: D1D1F531B042088FCB15DB68C594BAD7BB6EF89324F249166E509EB3A1DB31DD42CB91
                                                                                                                        Function 00E73F78 Relevance: 6.4, Strings: 5, Instructions: 125COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1262 e73f78-e73fa2 1263 e73fa4 1262->1263 1264 e73fa9-e74022 call e73168 1262->1264 1263->1264 1270 e74028-e74061 1264->1270 1273 e740af-e740c6 1270->1273 1275 e74063-e74073 1273->1275 1276 e740c8-e740ed 1273->1276 1279 e74075-e7407e 1275->1279 1280 e74094 1275->1280 1282 e74105 1276->1282 1283 e740ef-e74104 1276->1283 1284 e74085-e74088 1279->1284 1285 e74080-e74083 1279->1285 1286 e74097-e740ae 1280->1286 1283->1282 1287 e74092 1284->1287 1285->1287 1286->1273 1287->1286
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                        • API String ID: 0-1487592376
                                                                                                                        • Opcode ID: 78188d8e72ea4d0863523007cce65846f8d98251a169ca2a1ab0052b85b67f00
                                                                                                                        • Instruction ID: ce543e4547b621caf9cbebabf61330fe5519e3b6abf136c0019e6d6f87c69de9
                                                                                                                        • Opcode Fuzzy Hash: 78188d8e72ea4d0863523007cce65846f8d98251a169ca2a1ab0052b85b67f00
                                                                                                                        • Instruction Fuzzy Hash: 5351A174E01208DFCB48DFA9D99499DBBF2BF89310F249469E819BB364DB349946CF10
                                                                                                                        Function 05449E73 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1291 5449e73-5449f07 GetCurrentProcess 1295 5449f10-5449f44 GetCurrentThread 1291->1295 1296 5449f09-5449f0f 1291->1296 1297 5449f46-5449f4c 1295->1297 1298 5449f4d-5449f81 GetCurrentProcess 1295->1298 1296->1295 1297->1298 1300 5449f83-5449f89 1298->1300 1301 5449f8a-5449fa2 1298->1301 1300->1301 1312 5449fa5 call 544a450 1301->1312 1313 5449fa5 call 544a45b 1301->1313 1304 5449fab-5449fda GetCurrentThreadId 1305 5449fe3-544a045 1304->1305 1306 5449fdc-5449fe2 1304->1306 1306->1305 1312->1304 1313->1304
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 05449EF6
                                                                                                                        • GetCurrentThread.KERNEL32 ref: 05449F33
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 05449F70
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 05449FC9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2063062207-0
                                                                                                                        • Opcode ID: 4d6dd04cf617a6831fbf37f5001d2fa125cdf97a68a517762e185995674b5745
                                                                                                                        • Instruction ID: b65fee9f6f0b34ee57ea1c4cb65c06e0499dcffce466e52a8963f671a8593ea7
                                                                                                                        • Opcode Fuzzy Hash: 4d6dd04cf617a6831fbf37f5001d2fa125cdf97a68a517762e185995674b5745
                                                                                                                        • Instruction Fuzzy Hash: 8C5147B0901209CFEB14DFAAD548BDEBBF1EB88314F20846AE459A7360D734A944CF65
                                                                                                                        Function 05449E78 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1314 5449e78-5449f07 GetCurrentProcess 1318 5449f10-5449f44 GetCurrentThread 1314->1318 1319 5449f09-5449f0f 1314->1319 1320 5449f46-5449f4c 1318->1320 1321 5449f4d-5449f81 GetCurrentProcess 1318->1321 1319->1318 1320->1321 1323 5449f83-5449f89 1321->1323 1324 5449f8a-5449fa2 1321->1324 1323->1324 1335 5449fa5 call 544a450 1324->1335 1336 5449fa5 call 544a45b 1324->1336 1327 5449fab-5449fda GetCurrentThreadId 1328 5449fe3-544a045 1327->1328 1329 5449fdc-5449fe2 1327->1329 1329->1328 1335->1327 1336->1327
                                                                                                                        APIs
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 05449EF6
                                                                                                                        • GetCurrentThread.KERNEL32 ref: 05449F33
                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 05449F70
                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 05449FC9
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2063062207-0
                                                                                                                        • Opcode ID: c82f250943b1dd68aaa357c053e2adde444e6bf7152c8a26fbe7db194cb970bf
                                                                                                                        • Instruction ID: f94e1f52dd0f46030b3d8262de0d993bd12ed5cf64a04f3cc23555ea3c865e62
                                                                                                                        • Opcode Fuzzy Hash: c82f250943b1dd68aaa357c053e2adde444e6bf7152c8a26fbe7db194cb970bf
                                                                                                                        • Instruction Fuzzy Hash: BC5148B0901209CFEB14DFAAD548BDEBBF1EB88314F208469E459A7364D734A944CF65
                                                                                                                        Function 00E7AF78 Relevance: 5.2, Strings: 4, Instructions: 224COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1337 e7af78-e7af89 1338 e7af91-e7afaf 1337->1338 1339 e7af8c call e7a428 1337->1339 1342 e7afb5-e7afb7 1338->1342 1343 e7b18b-e7b196 1338->1343 1339->1338 1344 e7b19d-e7b1a8 1342->1344 1345 e7afbd-e7afc1 1342->1345 1343->1344 1351 e7b1af-e7b1ba 1344->1351 1345->1344 1346 e7afc7-e7afff call e7ab68 1345->1346 1346->1351 1359 e7b005-e7b009 1346->1359 1355 e7b1c1-e7b1cc 1351->1355 1360 e7b1d3-e7b1ff 1355->1360 1361 e7b015-e7b019 1359->1361 1362 e7b00b-e7b00f 1359->1362 1398 e7b206-e7b232 1360->1398 1363 e7b024-e7b028 1361->1363 1364 e7b01b-e7b022 1361->1364 1362->1355 1362->1361 1366 e7b040-e7b044 1363->1366 1367 e7b02a-e7b02e 1363->1367 1364->1366 1371 e7b046-e7b048 1366->1371 1372 e7b04b-e7b052 1366->1372 1369 e7b030-e7b037 1367->1369 1370 e7b039 1367->1370 1369->1366 1370->1366 1371->1372 1373 e7b054 1372->1373 1374 e7b05b-e7b05f 1372->1374 1375 e7b097-e7b09b 1373->1375 1376 e7b110-e7b113 1373->1376 1377 e7b0ae-e7b0b1 1373->1377 1378 e7b0dd-e7b0e0 1373->1378 1379 e7b179-e7b184 1373->1379 1381 e7b065-e7b069 1374->1381 1382 e7b13e-e7b141 1374->1382 1419 e7b09e call e7b500 1375->1419 1420 e7b09e call e7b4ff 1375->1420 1383 e7b115 1376->1383 1384 e7b11a-e7b139 1376->1384 1385 e7b0b3-e7b0b6 1377->1385 1386 e7b0bc-e7b0db 1377->1386 1390 e7b0e2-e7b0e5 1378->1390 1391 e7b0eb-e7b10e 1378->1391 1379->1343 1381->1379 1389 e7b06f-e7b072 1381->1389 1387 e7b143-e7b146 1382->1387 1388 e7b151-e7b174 1382->1388 1383->1384 1384->1375 1385->1360 1385->1386 1386->1375 1387->1388 1395 e7b148-e7b14b 1387->1395 1388->1375 1388->1379 1396 e7b074 1389->1396 1397 e7b079-e7b095 1389->1397 1390->1391 1390->1398 1391->1375 1392 e7b0a4-e7b0ab 1395->1388 1401 e7b239-e7b27a 1395->1401 1396->1397 1397->1375 1398->1401 1419->1392 1420->1392
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: $Hbq$Hbq$Hbq
                                                                                                                        • API String ID: 0-580995494
                                                                                                                        • Opcode ID: 7d9bab9e73028f1595fc8cb3f711e1f8e95a9d3362c73fa4e8400e04fa019661
                                                                                                                        • Instruction ID: df7c777c94a9ef0ad93a55fa098490fd4e87da8f808ffdebddb2a653a43e73f4
                                                                                                                        • Opcode Fuzzy Hash: 7d9bab9e73028f1595fc8cb3f711e1f8e95a9d3362c73fa4e8400e04fa019661
                                                                                                                        • Instruction Fuzzy Hash: 43719330700148DBDF256F78986876E7AA3EF85365F248229E92AAB3D0DF358D02C755
                                                                                                                        Function 00E7AF77 Relevance: 5.2, Strings: 4, Instructions: 182COMMON
                                                                                                                        Download Yara Rule

                                                                                                                        Control-flow Graph

                                                                                                                        • Executed
                                                                                                                        • Not Executed
                                                                                                                        control_flow_graph 1421 e7af77-e7afaf call e7a428 1426 e7afb5-e7afb7 1421->1426 1427 e7b18b-e7b196 1421->1427 1428 e7b19d-e7b1a8 1426->1428 1429 e7afbd-e7afc1 1426->1429 1427->1428 1435 e7b1af-e7b1ba 1428->1435 1429->1428 1430 e7afc7-e7afff call e7ab68 1429->1430 1430->1435 1443 e7b005-e7b009 1430->1443 1439 e7b1c1-e7b1cc 1435->1439 1444 e7b1d3-e7b1ff 1439->1444 1445 e7b015-e7b019 1443->1445 1446 e7b00b-e7b00f 1443->1446 1482 e7b206-e7b232 1444->1482 1447 e7b024-e7b028 1445->1447 1448 e7b01b-e7b022 1445->1448 1446->1439 1446->1445 1450 e7b040-e7b044 1447->1450 1451 e7b02a-e7b02e 1447->1451 1448->1450 1455 e7b046-e7b048 1450->1455 1456 e7b04b-e7b052 1450->1456 1453 e7b030-e7b037 1451->1453 1454 e7b039 1451->1454 1453->1450 1454->1450 1455->1456 1457 e7b054 1456->1457 1458 e7b05b-e7b05f 1456->1458 1459 e7b097-e7b09b 1457->1459 1460 e7b110-e7b113 1457->1460 1461 e7b0ae-e7b0b1 1457->1461 1462 e7b0dd-e7b0e0 1457->1462 1463 e7b179-e7b184 1457->1463 1465 e7b065-e7b069 1458->1465 1466 e7b13e-e7b141 1458->1466 1503 e7b09e call e7b500 1459->1503 1504 e7b09e call e7b4ff 1459->1504 1467 e7b115 1460->1467 1468 e7b11a-e7b139 1460->1468 1469 e7b0b3-e7b0b6 1461->1469 1470 e7b0bc-e7b0db 1461->1470 1474 e7b0e2-e7b0e5 1462->1474 1475 e7b0eb-e7b10e 1462->1475 1463->1427 1465->1463 1473 e7b06f-e7b072 1465->1473 1471 e7b143-e7b146 1466->1471 1472 e7b151-e7b174 1466->1472 1467->1468 1468->1459 1469->1444 1469->1470 1470->1459 1471->1472 1479 e7b148-e7b14b 1471->1479 1472->1459 1472->1463 1480 e7b074 1473->1480 1481 e7b079-e7b095 1473->1481 1474->1475 1474->1482 1475->1459 1476 e7b0a4-e7b0ab 1479->1472 1485 e7b239-e7b27a 1479->1485 1480->1481 1481->1459 1482->1485 1503->1476 1504->1476
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: $Hbq$Hbq$Hbq
                                                                                                                        • API String ID: 0-580995494
                                                                                                                        • Opcode ID: 920191617215b0bc95afbea1b8f67c0092969166ad6035b84c1bbdeb2d0f6117
                                                                                                                        • Instruction ID: 590d3d5fad1a5d46adff3a2ed28c620c2358eabcfdad056ea60aa6157b72dfa4
                                                                                                                        • Opcode Fuzzy Hash: 920191617215b0bc95afbea1b8f67c0092969166ad6035b84c1bbdeb2d0f6117
                                                                                                                        • Instruction Fuzzy Hash: C9519330700148DFDB256F78982876E7AA2FFC5365F248529E52AAB3D0DF358D02C755
                                                                                                                        Function 00E7B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 8cq$TJcq
                                                                                                                        • API String ID: 0-1920894394
                                                                                                                        • Opcode ID: 20ee2935dbf4e23f96acdad764008624f356fe717cf3a416d0415a3d9026ac84
                                                                                                                        • Instruction ID: 307d924c61fa2dd716cc697ab86a150712a497445514d49a13b2a860e90c1dd6
                                                                                                                        • Opcode Fuzzy Hash: 20ee2935dbf4e23f96acdad764008624f356fe717cf3a416d0415a3d9026ac84
                                                                                                                        • Instruction Fuzzy Hash: F2313935B001098FCB45DFA8C580E9DBBF2EF88324F155094E505AB365CB70EC85CB91
                                                                                                                        Function 00E7B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: 8cq$TJcq
                                                                                                                        • API String ID: 0-1920894394
                                                                                                                        • Opcode ID: 7d706892945447ae0cc763a21718b9ce50646a0a90766461df131aa8e264a3de
                                                                                                                        • Instruction ID: 9f79f56017f8f9f3875d32f2dca7e40cecd05029fdec7b873951e78542550dd8
                                                                                                                        • Opcode Fuzzy Hash: 7d706892945447ae0cc763a21718b9ce50646a0a90766461df131aa8e264a3de
                                                                                                                        • Instruction Fuzzy Hash: 2E314835B401098FCB45DFA8C580E9DBBB2EF88324F255094E605AB3B5CB70EC85CB91
                                                                                                                        Function 0544A4C0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0544A54F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DuplicateHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3793708945-0
                                                                                                                        • Opcode ID: 9c5565b0542d37bf7032e674b0a3e42d6253e0e14293581d1ed7e5d63ae516f1
                                                                                                                        • Instruction ID: 1bc43789e7875b7dc322cda567574519a9c8ad657bbd379a4119404d73d59bb3
                                                                                                                        • Opcode Fuzzy Hash: 9c5565b0542d37bf7032e674b0a3e42d6253e0e14293581d1ed7e5d63ae516f1
                                                                                                                        • Instruction Fuzzy Hash: 0521E6B5D002489FDB10CF9AD984ADEBFF5FB48320F14851AE968A7350D378A940CF61
                                                                                                                        Function 04E610BC Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • LdrInitializeThunk.NTDLL(00000000), ref: 04E611FE
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: InitializeThunk
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 2994545307-0
                                                                                                                        • Opcode ID: 7e3af9b3125a0ca07bb15428bc46ef3a0b109a328b7e19328760efc52b039bff
                                                                                                                        • Instruction ID: d8bf5de956074327c1ba16457f2c06d463e314f55d0bdd8aac70238993c7be87
                                                                                                                        • Opcode Fuzzy Hash: 7e3af9b3125a0ca07bb15428bc46ef3a0b109a328b7e19328760efc52b039bff
                                                                                                                        • Instruction Fuzzy Hash: 94116D74E411099FDB05DFA8D884AADFBF5FB88344F14E225E805E7246DB30A941CF20
                                                                                                                        Function 0544A4C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        APIs
                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0544A54F
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID: DuplicateHandle
                                                                                                                        • String ID:
                                                                                                                        • API String ID: 3793708945-0
                                                                                                                        • Opcode ID: 1de7844526c4d8980a0ad154eea1cc7f0775910b5c352a4170be049d909b6c37
                                                                                                                        • Instruction ID: 5f487149822b0cab08a39123d2fa5b11de742c33825091abfc7cddcfc964f4a2
                                                                                                                        • Opcode Fuzzy Hash: 1de7844526c4d8980a0ad154eea1cc7f0775910b5c352a4170be049d909b6c37
                                                                                                                        • Instruction Fuzzy Hash: E921F5B59002489FDB10CF9AD984ADEFFF5FB48310F14801AE958A3310D378A940CFA5
                                                                                                                        Function 00E7BDE8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Hbq
                                                                                                                        • API String ID: 0-1245868
                                                                                                                        • Opcode ID: 8e06720d02853caa92edc1dfe7c5c2d4008677c6ecaa62dedbddf8c1909a58dd
                                                                                                                        • Instruction ID: c74f93791b2f0657983772f8f5695199ce8bab65622eabc451e9e7533846f2bc
                                                                                                                        • Opcode Fuzzy Hash: 8e06720d02853caa92edc1dfe7c5c2d4008677c6ecaa62dedbddf8c1909a58dd
                                                                                                                        • Instruction Fuzzy Hash: 6631C5347041489FC704EF79D995AAE7BB6FF89300B248069E5099B361DF319D06C791
                                                                                                                        Function 00E7BCE8 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Hbq
                                                                                                                        • API String ID: 0-1245868
                                                                                                                        • Opcode ID: 0c6abcb7923f99397edfa5144a5d01c95a365082e942785cd2c5a10802b959b6
                                                                                                                        • Instruction ID: 0c8836166ea010bdfb5fa50f947c30b9e7faac783e5b6fcfbf04c7ce2508f18a
                                                                                                                        • Opcode Fuzzy Hash: 0c6abcb7923f99397edfa5144a5d01c95a365082e942785cd2c5a10802b959b6
                                                                                                                        • Instruction Fuzzy Hash: 39218E32A041089FCB44EFB8D955AAE7BF6EF88300B10857AE509E7355DF359E12CB91
                                                                                                                        Function 00E7BF80 Relevance: .2, Instructions: 224COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: af3c39f911b0c82ee46ae05f6820bdc7ab6379fb41cb41394c6120cb6b06ff1e
                                                                                                                        • Instruction ID: 36b34f971d83d7c281cb80ace6e43310c51bbdec390de6a90110763cb0c78d5a
                                                                                                                        • Opcode Fuzzy Hash: af3c39f911b0c82ee46ae05f6820bdc7ab6379fb41cb41394c6120cb6b06ff1e
                                                                                                                        • Instruction Fuzzy Hash: E161D176A012059FCB24CB79D8509AABBFAEBC8324B24D53EE51DE7351D731DC0187A0
                                                                                                                        Function 00E73168 Relevance: .1, Instructions: 109COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f07c7f8f836cd17d63e96c1b95e98439d29ea8b9106d605d5c1002d265aea6af
                                                                                                                        • Instruction ID: 332935f6d09e637460542e6707ef02ca00b6f92f1574c3b24b5007da7ab225b0
                                                                                                                        • Opcode Fuzzy Hash: f07c7f8f836cd17d63e96c1b95e98439d29ea8b9106d605d5c1002d265aea6af
                                                                                                                        • Instruction Fuzzy Hash: D741B274E01248DFCB48DFAAD88499DBBF2BF89300F249529E405BB365DB349941CF14
                                                                                                                        Function 00E79249 Relevance: .1, Instructions: 108COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: cac928349a8b42eea92c95f353ac3a782766c5dc0cb9cffb6dc023f686e706e4
                                                                                                                        • Instruction ID: 6d5b1e46ebed37284f980b59effae2afb9b5b254959d8d5e98e5164831b320ea
                                                                                                                        • Opcode Fuzzy Hash: cac928349a8b42eea92c95f353ac3a782766c5dc0cb9cffb6dc023f686e706e4
                                                                                                                        • Instruction Fuzzy Hash: 0F31D07002264A9FC2202B61F5BC17A7BB5EF8F357784AC42E04E81A169B786D449B60
                                                                                                                        Function 00E718C8 Relevance: .1, Instructions: 77COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6d07956b848d59a37daeddb75b59fed3cfba40b28f41aa572e9d5c921f77e51a
                                                                                                                        • Instruction ID: c941c8559d0fbf25e5697e12e593953bfe2335ef7fcda31e606b962f2f8d56e2
                                                                                                                        • Opcode Fuzzy Hash: 6d07956b848d59a37daeddb75b59fed3cfba40b28f41aa572e9d5c921f77e51a
                                                                                                                        • Instruction Fuzzy Hash: 1D219275A002059FCB14DF28C4509EE37A5EBD9754B20C45DD95EAB240EB34EE07CBD2
                                                                                                                        Function 00ABD030 Relevance: .1, Instructions: 72COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3018530251.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_abd000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d999bd85cdab18b2a0060bd0ffb6d826eb7f614bd622869a7071c011432cd39c
                                                                                                                        • Instruction ID: 68f5829e348ef664a1424d4239b21ce9af90f68817b2b6f6f12add7ff79a1d27
                                                                                                                        • Opcode Fuzzy Hash: d999bd85cdab18b2a0060bd0ffb6d826eb7f614bd622869a7071c011432cd39c
                                                                                                                        • Instruction Fuzzy Hash: 4721F271504204DFCB14EF14D9C0B66BBA9FB84318F24C669D80A4B297D33BD846CA62
                                                                                                                        Function 00E70EC8 Relevance: .1, Instructions: 70COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d82807305a153cb41748a7cf149de8fdf8582d2386006a5f34699ad97969d2c5
                                                                                                                        • Instruction ID: 237a81e9ac11e87226006438fccf99611429cc3d24b19db0d82cf23a9cac72ec
                                                                                                                        • Opcode Fuzzy Hash: d82807305a153cb41748a7cf149de8fdf8582d2386006a5f34699ad97969d2c5
                                                                                                                        • Instruction Fuzzy Hash: 94215E70E05209DFCB09EFB9C4516AEBBB2EB89304F10C5AAD409AB696CB749945CF41
                                                                                                                        Function 00E717B8 Relevance: .1, Instructions: 62COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 30bfbcb8571b7b29089f576b8019a30ebb52dc7c4a9cd1bf917352b8382ddbae
                                                                                                                        • Instruction ID: 901148034c4a66bc7c477a84a84bd18ad8d36e37c1056f14f7191881aaef594f
                                                                                                                        • Opcode Fuzzy Hash: 30bfbcb8571b7b29089f576b8019a30ebb52dc7c4a9cd1bf917352b8382ddbae
                                                                                                                        • Instruction Fuzzy Hash: 6B212870D0934A8FCB05DFB9D8445EDBFF0AF4A304F1452AAD445B7262EB354A49CBA1
                                                                                                                        Function 00E7BB48 Relevance: .1, Instructions: 60COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: cc03e3cc55779a6077dd0ad8e5e25bd19088b20616bf5e26613a27acc49c7291
                                                                                                                        • Instruction ID: a5e4c61f314cdf491f1ca931665c4232ef8fffe472745ade4ba4ed1ab1115704
                                                                                                                        • Opcode Fuzzy Hash: cc03e3cc55779a6077dd0ad8e5e25bd19088b20616bf5e26613a27acc49c7291
                                                                                                                        • Instruction Fuzzy Hash: 971136767002048FD714DB69E988B56B7E6EF98725B21846AE64E8B364CB71EC04CB50
                                                                                                                        Function 00E74850 Relevance: .1, Instructions: 56COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 184e0a86ac69364dfd2aa90b2e5b1fcc0432702a81ba538ca8d35b1c024e8836
                                                                                                                        • Instruction ID: 881aeb34b7d33700d82e49dd17ff018ea95a3e5d656085436803495ca238b703
                                                                                                                        • Opcode Fuzzy Hash: 184e0a86ac69364dfd2aa90b2e5b1fcc0432702a81ba538ca8d35b1c024e8836
                                                                                                                        • Instruction Fuzzy Hash: DF012272B042041FEB189BB98808A7E6BE69F88218711857DD809D7394FF35CC028752
                                                                                                                        Function 00ABD02B Relevance: .1, Instructions: 53COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3018530251.0000000000ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ABD000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_abd000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                        • Instruction ID: bcffe5f9777311d7a2709d17bba20207e554963267d49609d5b2de4cef9a51ff
                                                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                        • Instruction Fuzzy Hash: 6E11BB75504280CFCB11DF14D5C4B55BBA1FB84318F28C6AADC4A4B656C33AD85ACB62
                                                                                                                        Function 00E74860 Relevance: .0, Instructions: 49COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 7a61c969f77da1c19d80bec140123e7b8ff1a68073712983dc38cdfdd7019c2d
                                                                                                                        • Instruction ID: f098515d8561eac55ff2b734468ca7cb13970520a9f09bed74f26175ba01e30a
                                                                                                                        • Opcode Fuzzy Hash: 7a61c969f77da1c19d80bec140123e7b8ff1a68073712983dc38cdfdd7019c2d
                                                                                                                        • Instruction Fuzzy Hash: 9701A272B002155FE718AB7A8848A2F76EBAFC8628710883DD909D7354FF71CC068792
                                                                                                                        Function 00E7A4F9 Relevance: .0, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 45d81333c3c77dec89919068e294555432d8a741118dfd6a959065d8ffa67a47
                                                                                                                        • Instruction ID: 07779312dcc79246b7e899590f4566cae4f918e37d6ee043b1786e658ad1708b
                                                                                                                        • Opcode Fuzzy Hash: 45d81333c3c77dec89919068e294555432d8a741118dfd6a959065d8ffa67a47
                                                                                                                        • Instruction Fuzzy Hash: D201717590021A9FCF24DF69E8549AF7FB5FBC8315B14803AEA59A3341D7349D10CB92
                                                                                                                        Function 00E7A508 Relevance: .0, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e5025e120b130ff4906fe6dfdd08ef56bf25ad375ce3f8a5c0345f95ec6021ee
                                                                                                                        • Instruction ID: 628d72cc32215f932d3e57945b87d391cc2db2176da178aab171ba8435e3c402
                                                                                                                        • Opcode Fuzzy Hash: e5025e120b130ff4906fe6dfdd08ef56bf25ad375ce3f8a5c0345f95ec6021ee
                                                                                                                        • Instruction Fuzzy Hash: 8B015E75E002199FCF24DFA9E8585AE7FB5FB88750B10843AE91A97341DB349D10CBA1
                                                                                                                        Function 00E7BB47 Relevance: .0, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d52d043d6cef486ec096b6c32dedb004bbb636e304cee335e5af0a599f46f104
                                                                                                                        • Instruction ID: 7d7926596277accc6ddc8b8238eaa45e5cae6de02af748aba378ec6d64b629a7
                                                                                                                        • Opcode Fuzzy Hash: d52d043d6cef486ec096b6c32dedb004bbb636e304cee335e5af0a599f46f104
                                                                                                                        • Instruction Fuzzy Hash: DE0156317002008FDB24DB2ADA88B66B7E6EF89725F118469E54E8F364CB71EC05CB50
                                                                                                                        Function 00E7BEF8 Relevance: .0, Instructions: 46COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 0b7151d4462db02d21cdc019e212989187db2fc58a13ed30ffbbe41c817301d4
                                                                                                                        • Instruction ID: 5cb00d12d09313c16e26b5f6fe07006ae457a8b36e35bb3452392e4425110bcd
                                                                                                                        • Opcode Fuzzy Hash: 0b7151d4462db02d21cdc019e212989187db2fc58a13ed30ffbbe41c817301d4
                                                                                                                        • Instruction Fuzzy Hash: 1D01F9357082485BCB2527756C1C45D7FAAEBC67157144067E50ACB382DA398C029791
                                                                                                                        Function 00E7B9E9 Relevance: .0, Instructions: 38COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 4a008f9ca235975dbe9be3e0bfb125a931034ebc6130202a4b907e2bc51bce45
                                                                                                                        • Instruction ID: 0412f5982e9dc0d3d3e74a07f7b2d905a405d1fb430deaf70d8dd8ce12305138
                                                                                                                        • Opcode Fuzzy Hash: 4a008f9ca235975dbe9be3e0bfb125a931034ebc6130202a4b907e2bc51bce45
                                                                                                                        • Instruction Fuzzy Hash: A6F0F672E011089FCB50DF6DD9855DFBFF5EB98250B004536D509D3205EB30EA068BD1
                                                                                                                        Function 00E7C1B0 Relevance: .0, Instructions: 36COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: abf796cde741a67337211ef0e0b317f0e17df5000bf07b4703fe0eaf0fdc2522
                                                                                                                        • Instruction ID: 823ecb5bec96e57856a7e2661a41feb7f95437151102c648dee596fb18a6c7e1
                                                                                                                        • Opcode Fuzzy Hash: abf796cde741a67337211ef0e0b317f0e17df5000bf07b4703fe0eaf0fdc2522
                                                                                                                        • Instruction Fuzzy Hash: F9F0A7327005255BC7259669E41495EB7EDDFC5731714807AF50DEB351DF31DC028790
                                                                                                                        Function 00E746C9 Relevance: .0, Instructions: 32COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ea796e67e16c18a21c2aa0d00017c9418895402f16451e1e2dc6d9815f2aa831
                                                                                                                        • Instruction ID: 353fbe11ad571f43597ba1a22d46ad4766ec7811b0c336ab826738944c739e22
                                                                                                                        • Opcode Fuzzy Hash: ea796e67e16c18a21c2aa0d00017c9418895402f16451e1e2dc6d9815f2aa831
                                                                                                                        • Instruction Fuzzy Hash: 0FF0DA30819B928FD322ABB4A8AD66A7F71EB0B307B486E45E44A91073CB710406CB11
                                                                                                                        Function 00E7B9F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 2f84938a71c21647d96cd83d6ff147585bfc568169ce5c7ee876de35b52a4b90
                                                                                                                        • Instruction ID: d8c85e46779f75dc550394fc70d27d45eeb0c450fa6e0b76d792c85f6023ca3f
                                                                                                                        • Opcode Fuzzy Hash: 2f84938a71c21647d96cd83d6ff147585bfc568169ce5c7ee876de35b52a4b90
                                                                                                                        • Instruction Fuzzy Hash: 4EF08271A00208AF8B50DFAED84099FFBF5FB88350B10453AE509E3211E770AA159BE1
                                                                                                                        Function 00E746D8 Relevance: .0, Instructions: 25COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b8f255f84cee90f8c58f7aca42ce1a6160cdd744d6f0875e0ac85f5468ea9c9e
                                                                                                                        • Instruction ID: e73b08e8eaeeb2baea04c4f8dc4a33c1ec44d3395dac1cbdb870a73a86881c82
                                                                                                                        • Opcode Fuzzy Hash: b8f255f84cee90f8c58f7aca42ce1a6160cdd744d6f0875e0ac85f5468ea9c9e
                                                                                                                        • Instruction Fuzzy Hash: 1AE07630822B028BD261ABB0A8AC76ABB65EB0B313B846F00A00E910729F7104468A14
                                                                                                                        Function 00E71877 Relevance: .0, Instructions: 24COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ed392aff1b17778a8e45f6887c89448912effd99e8df5520d6aa5239ec722e4b
                                                                                                                        • Instruction ID: 66b87dbfb931f4121b3c109bd9d516c5ec4c6cfcdc2dc74b5db13c457e0bee74
                                                                                                                        • Opcode Fuzzy Hash: ed392aff1b17778a8e45f6887c89448912effd99e8df5520d6aa5239ec722e4b
                                                                                                                        • Instruction Fuzzy Hash: 28E02031D50327CBCB02EFB19C504DD77745D912207444367C0A877861DB38550FCB62
                                                                                                                        Function 00E71888 Relevance: .0, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d4798250efd236f63c6dc6f0681edc19909ff42fcd22662f801f524b14f2d9e3
                                                                                                                        • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                                                        • Opcode Fuzzy Hash: d4798250efd236f63c6dc6f0681edc19909ff42fcd22662f801f524b14f2d9e3
                                                                                                                        • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                                                        Function 00E7BCD8 Relevance: .0, Instructions: 19COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f2e8619ccb173da7d15868eb14e54c3d62d8dd0fe97fbd8302d4bbd01212e8fc
                                                                                                                        • Instruction ID: 668c87fb76e1c89d287060781d5777e20921f415100171d018dd0571d98a33be
                                                                                                                        • Opcode Fuzzy Hash: f2e8619ccb173da7d15868eb14e54c3d62d8dd0fe97fbd8302d4bbd01212e8fc
                                                                                                                        • Instruction Fuzzy Hash: 09D02B2610938DC78A1A7A902806215B7346903606740D2DF984CEE013FA005C1D83D1
                                                                                                                        Function 00E74831 Relevance: .0, Instructions: 9COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3b86e02aef638409910a47848e529824e9c8195350e2669a36bc9cfbb7132c18
                                                                                                                        • Instruction ID: 4fbcc66a17f2d1f53b944227f3dd9f01a17b8214680924092e981d015b23e8c2
                                                                                                                        • Opcode Fuzzy Hash: 3b86e02aef638409910a47848e529824e9c8195350e2669a36bc9cfbb7132c18
                                                                                                                        • Instruction Fuzzy Hash: 96C0482440E2C00FCF0787A9486A9A67FB09D1B20AB681ADFC0C29A8A7D509650BE716

                                                                                                                        Non-executed Functions

                                                                                                                        Function 054451E8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: .5vq
                                                                                                                        • API String ID: 0-493797296
                                                                                                                        • Opcode ID: 341675a4fa7339b83214ae2ce8daf07add2e93702d5ca9d2231edd05cc5cfd24
                                                                                                                        • Instruction ID: 3334565a8a28314b5b5ca2196c4b6a28594bb2a38a74ae09e69fce42ae865c14
                                                                                                                        • Opcode Fuzzy Hash: 341675a4fa7339b83214ae2ce8daf07add2e93702d5ca9d2231edd05cc5cfd24
                                                                                                                        • Instruction Fuzzy Hash: 39526C74E01228CFDB64DF69C984BDDBBB2BB89300F1085EAD409AB255DB359E85CF50
                                                                                                                        Function 04E67CD8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: a992a10fde6053f624f75d0adb65bd3fcd5f1bd1ef072276247d061457d01bb3
                                                                                                                        • Instruction ID: 2297ca4bcdb0175c8ec668ab0cf4bdd478fe9624a01cdfff8d1b2cfde76bbc37
                                                                                                                        • Opcode Fuzzy Hash: a992a10fde6053f624f75d0adb65bd3fcd5f1bd1ef072276247d061457d01bb3
                                                                                                                        • Instruction Fuzzy Hash: 77C1E374E01218CFDB14DFA5C994B9DBBB2BF89304F1094AAD409AB364DB35AE85CF50
                                                                                                                        Function 04E6F8B0 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c857005dddaa6e01f24971a230a2f24627695292d950e67b484dc583922ba96d
                                                                                                                        • Instruction ID: ae29818250f7ee37b490c17be9ebe21e82ca9d96fde4f5cf9b8221814fbc2f51
                                                                                                                        • Opcode Fuzzy Hash: c857005dddaa6e01f24971a230a2f24627695292d950e67b484dc583922ba96d
                                                                                                                        • Instruction Fuzzy Hash: 61C1D474E01218CFDB14DFA5C994B9DBBB2BF88304F1090AAD409AB365DB356E85CF50
                                                                                                                        Function 04E67880 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 16c1c82988a6f0a93bf1d2336610ce2e6e2f83ed83028af81fdc46a0782ba674
                                                                                                                        • Instruction ID: 92b84229001795118a099ce44e02ccd4c634aa198fd06f5a2c311235844f6198
                                                                                                                        • Opcode Fuzzy Hash: 16c1c82988a6f0a93bf1d2336610ce2e6e2f83ed83028af81fdc46a0782ba674
                                                                                                                        • Instruction Fuzzy Hash: AAC1D374E01218CFDB14DFA5C994B9DBBB2BF88304F2090A9D409AB365DB35AE85CF50
                                                                                                                        Function 04E6F458 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 64584aeccf8730ffa96fc4306665a332eeeb311a410b3204c0afd6aa79d018f2
                                                                                                                        • Instruction ID: 795fe625b5c6d599aa82042b59e59e3ea6678652bde2df066b7899fa1fdbfe84
                                                                                                                        • Opcode Fuzzy Hash: 64584aeccf8730ffa96fc4306665a332eeeb311a410b3204c0afd6aa79d018f2
                                                                                                                        • Instruction Fuzzy Hash: C4C1D374E01218CFDB14DFA5D994B9DBBB2BF88304F1090AAD409AB365DB35AE85CF50
                                                                                                                        Function 04E67428 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e456c605a703c733db03f025d2300c3e812ed8097f2e2ab5ab5c73210eb6d8db
                                                                                                                        • Instruction ID: f2a22e29642cc701f2a30d71ab6ea3cf245a2f5eed600cbbb367a60183853348
                                                                                                                        • Opcode Fuzzy Hash: e456c605a703c733db03f025d2300c3e812ed8097f2e2ab5ab5c73210eb6d8db
                                                                                                                        • Instruction Fuzzy Hash: E3C1C374E01218CFDB14DFA5C994B9DBBB2BF88304F1094AAD409AB365DB35AE85CF50
                                                                                                                        Function 04E6F000 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: fccf277ee3c0cea9b8e54f7794033bbfe81d73cf1c4e5f8424c8d705cf2948c1
                                                                                                                        • Instruction ID: 2855fb2734840b2f0bfb4959703c87bfca2fb0190259e78d439d62aa9cd726e6
                                                                                                                        • Opcode Fuzzy Hash: fccf277ee3c0cea9b8e54f7794033bbfe81d73cf1c4e5f8424c8d705cf2948c1
                                                                                                                        • Instruction Fuzzy Hash: 80C1E474E01218CFDB14DFA5D994B9DBBB2BF88304F1090AAD409AB364DB35AE85CF50
                                                                                                                        Function 04E64DD0 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 85c1ab1c2fa5ff901a43ba6546fe562302a988d5a8db538d8a59b082d47f30d7
                                                                                                                        • Instruction ID: abf8409694e9f7a8464ca5838d06ad0b3f169630f5c37a497c84a5462c5239ff
                                                                                                                        • Opcode Fuzzy Hash: 85c1ab1c2fa5ff901a43ba6546fe562302a988d5a8db538d8a59b082d47f30d7
                                                                                                                        • Instruction Fuzzy Hash: 9BC1D474E01218CFDB14DFA5D994B9DBBB2BF88304F1094A9D809AB364DB35AE85CF50
                                                                                                                        Function 04E68588 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d79400ec74156f7d146b5165af8e220cd5e3f0d4da3d847c032a95ad874e28ea
                                                                                                                        • Instruction ID: c78c4716928d48a3df59736a91331150bf561825e3d95e9d0f12f2eda80dbfa1
                                                                                                                        • Opcode Fuzzy Hash: d79400ec74156f7d146b5165af8e220cd5e3f0d4da3d847c032a95ad874e28ea
                                                                                                                        • Instruction Fuzzy Hash: F6C1C274E01218CFDB14DFA5C994B9DBBB2BF88304F1094AAD409AB364DB35AE85CF50
                                                                                                                        Function 04E64978 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 421d6beb633e6908beedf535328e7d852887ba22c6dff02005e64a2d67cb35af
                                                                                                                        • Instruction ID: bf8c0c5228095ecdf23b632a73d0caef12b18914a3cdfa66734ba3b8edbb6ef2
                                                                                                                        • Opcode Fuzzy Hash: 421d6beb633e6908beedf535328e7d852887ba22c6dff02005e64a2d67cb35af
                                                                                                                        • Instruction Fuzzy Hash: 4EC1C474E01218CFDB14DFA5C994B9DBBB2BF88304F1094A9D409AB3A5DB35AE85CF50
                                                                                                                        Function 04E64520 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 76d5a37321919e0bd2b953167d611b0964f8783b34a0e6b81ea621cf382b0a82
                                                                                                                        • Instruction ID: 15adecc139851ff0e9b5151efd4099e85bde380651638e77c205a2e753de77cf
                                                                                                                        • Opcode Fuzzy Hash: 76d5a37321919e0bd2b953167d611b0964f8783b34a0e6b81ea621cf382b0a82
                                                                                                                        • Instruction Fuzzy Hash: 1BC1C474E01218CFDB14DFA5C994B9DBBB2BF89304F1094A9D809AB3A5DB356E85CF10
                                                                                                                        Function 04E68130 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: afcfadc3709de06850a03a76a7630d72247353ff3db1ca9adb9c48cc54376aaf
                                                                                                                        • Instruction ID: 5ff72f7decc89337915d0f0bbb06621728d5bdcbfd6800ea3c252679f3373c25
                                                                                                                        • Opcode Fuzzy Hash: afcfadc3709de06850a03a76a7630d72247353ff3db1ca9adb9c48cc54376aaf
                                                                                                                        • Instruction Fuzzy Hash: 0FC1E374E01218CFDB14DFA5C994B9DBBB2BF89304F1090AAD409AB364DB35AE85CF10
                                                                                                                        Function 04E6E2F8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5ed4c06e6f4e4a0c459c4ed557ca33047e2edbb1989fcf84ee3443b2e596cb7a
                                                                                                                        • Instruction ID: 413d707090419288195d81f9883772bef6ff0296846aa1723b4f476eafba8167
                                                                                                                        • Opcode Fuzzy Hash: 5ed4c06e6f4e4a0c459c4ed557ca33047e2edbb1989fcf84ee3443b2e596cb7a
                                                                                                                        • Instruction Fuzzy Hash: 57C1C574E01218CFDB14DFA9C954B9DBBB2BF88304F1094AAD409AB395DB356D85CF50
                                                                                                                        Function 04E65680 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 43c9e12cf32ec93a66b0ddc25342f432ccac380623ec4590153642b125e2f481
                                                                                                                        • Instruction ID: dbd64839dbe5d8681d4742ea815dbadbb7c1359cef47a4e916253b11842c1464
                                                                                                                        • Opcode Fuzzy Hash: 43c9e12cf32ec93a66b0ddc25342f432ccac380623ec4590153642b125e2f481
                                                                                                                        • Instruction Fuzzy Hash: 49C1C474E01218CFDB14DFA5D994B9DBBB2BF88304F1094A9D809AB355DB35AE85CF10
                                                                                                                        Function 04E65228 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 93c963b3c24f44926e524486e388f1797fc6966d2e367e5849d6dbfc9b0d2112
                                                                                                                        • Instruction ID: 96d227bb067de6662708714d71fd05e93997226b39d8595cde38a9b5f7aeb6f0
                                                                                                                        • Opcode Fuzzy Hash: 93c963b3c24f44926e524486e388f1797fc6966d2e367e5849d6dbfc9b0d2112
                                                                                                                        • Instruction Fuzzy Hash: 92C1D374E01218CFDB14DFA5D994B9DBBB2BF88304F1094A9D809AB365DB35AE85CF10
                                                                                                                        Function 04E66FD0 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: c559c5e9b264601712766da25948e45458e3893d3f498abab91daf055f8f9b34
                                                                                                                        • Instruction ID: 4f1a2f23cbbde4e422ce1f6bea7de3a05e69299ed659e70123c4049f9b50d1e3
                                                                                                                        • Opcode Fuzzy Hash: c559c5e9b264601712766da25948e45458e3893d3f498abab91daf055f8f9b34
                                                                                                                        • Instruction Fuzzy Hash: 01C1D374E01218CFDB14DFA5C994B9DBBB2BF88304F1090A9D809AB365DB35AE85CF50
                                                                                                                        Function 04E6EBA8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: e324f3409bcc42ecb206e7f57a71022f398668c1d421fe5f1e88505cb2dfc029
                                                                                                                        • Instruction ID: 7f36297c5274c4478b7f1aca0d413d7d5d49ab8087a2b01ff3bb9404a1bf25ae
                                                                                                                        • Opcode Fuzzy Hash: e324f3409bcc42ecb206e7f57a71022f398668c1d421fe5f1e88505cb2dfc029
                                                                                                                        • Instruction Fuzzy Hash: 3BC1D574E01218CFDB14DFA9C954B9DBBB2BF88304F1090AAD409AB395DB356E85CF50
                                                                                                                        Function 04E6E750 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022280678.0000000004E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_4e60000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1aa4d139347724ae6d336d2e8b824c62f7951b992c32fdeec4f2d3b5f302cf54
                                                                                                                        • Instruction ID: 90316577cc65a37c7361677710dfc7e90b682ea1848ff8dafa9e92060b52567f
                                                                                                                        • Opcode Fuzzy Hash: 1aa4d139347724ae6d336d2e8b824c62f7951b992c32fdeec4f2d3b5f302cf54
                                                                                                                        • Instruction Fuzzy Hash: 54C1D574E01218CFDB54DFA9C994B9DBBB2BF88304F1090A9D409AB395DB356D85CF50
                                                                                                                        Function 054415F8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 3f9d98ab7fb3c7946094f37f8826ab85776607bb5edd217e3c0094934737bb77
                                                                                                                        • Instruction ID: cafd1f34d2033195b6696de05cfd30eef731ed20c495afc2ef0c1729b822b4e8
                                                                                                                        • Opcode Fuzzy Hash: 3f9d98ab7fb3c7946094f37f8826ab85776607bb5edd217e3c0094934737bb77
                                                                                                                        • Instruction Fuzzy Hash: 8BC1B174E01218CFEB14DFA5C994B9DBBB2BF89304F1090AAD409AB365DB359E85CF50
                                                                                                                        Function 05443598 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: d52b0096ce981a6057ef839d4be1ab293b46c130a79ebb30b8788594cbccf639
                                                                                                                        • Instruction ID: 3e50d6b61a2c5fe5593d75463484c61f2ac078fe39c4138569eb2232bcfd71e0
                                                                                                                        • Opcode Fuzzy Hash: d52b0096ce981a6057ef839d4be1ab293b46c130a79ebb30b8788594cbccf639
                                                                                                                        • Instruction Fuzzy Hash: F2C1C474E01218CFEB14DFA5C994B9DBBB2BF89304F1084AAD409AB365DB359E85CF50
                                                                                                                        Function 05442438 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: dd7fd51034346a3bf9f88cac8c21d7d1f2dde79027253a9ba361519e2a925cb5
                                                                                                                        • Instruction ID: 145402476a9dc2271ba986a6093c2c08fce2ed061c2d8c2ccf6c3ce186b1c525
                                                                                                                        • Opcode Fuzzy Hash: dd7fd51034346a3bf9f88cac8c21d7d1f2dde79027253a9ba361519e2a925cb5
                                                                                                                        • Instruction Fuzzy Hash: 66C1D274E05218CFEB14DFA5C994B9DBBB2BF88304F1084AAD409AB364DB359E85CF50
                                                                                                                        Function 05440498 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: ca5c7df4c5d72d24a69f24c22b69a67f6ae4bc16865e09460faa764c387573d2
                                                                                                                        • Instruction ID: 597be397c99ef05ca0f11879054d08740a597d008881867ff7247d45d57a7390
                                                                                                                        • Opcode Fuzzy Hash: ca5c7df4c5d72d24a69f24c22b69a67f6ae4bc16865e09460faa764c387573d2
                                                                                                                        • Instruction Fuzzy Hash: 9CC1C374E01218CFEB14DFA5C994B9DBBB2BF89304F1084AAD409AB365DB359E85CF50
                                                                                                                        Function 054446F8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 738bed54faa7610ade13d73411f40b3f13d4cdac5f4ea0da63c34513621164d7
                                                                                                                        • Instruction ID: 17a75393b075fea91f1f8da573a17e81b5833c00c141f25519a04d24aab43375
                                                                                                                        • Opcode Fuzzy Hash: 738bed54faa7610ade13d73411f40b3f13d4cdac5f4ea0da63c34513621164d7
                                                                                                                        • Instruction Fuzzy Hash: 11C1B174E01218CFEB54DFA5C994B9DBBB2BF89304F1080AAD409AB365DB359E85CF50
                                                                                                                        Function 05443140 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 97d8ec9dd14ae8f16f47092ad45d366cc865fe79ca542bb0a27f44fca6f860a4
                                                                                                                        • Instruction ID: 102fea4193ded83014dc738b2e17beebf549588af76447b5fc8eca227fbc5e51
                                                                                                                        • Opcode Fuzzy Hash: 97d8ec9dd14ae8f16f47092ad45d366cc865fe79ca542bb0a27f44fca6f860a4
                                                                                                                        • Instruction Fuzzy Hash: 1FC1B374E01218CFEB14DFA5C994B9DBBB2BF89304F1084AAD409AB365DB359E85CF50
                                                                                                                        Function 054411A0 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: b7c88121cd6265e3bb56dc7671604e35fa4120995af21dc63ae13dd05c40edde
                                                                                                                        • Instruction ID: 094be596989b01e2845bc7aff1ad99c1e3cf4f399eb71d26056056181839dfc1
                                                                                                                        • Opcode Fuzzy Hash: b7c88121cd6265e3bb56dc7671604e35fa4120995af21dc63ae13dd05c40edde
                                                                                                                        • Instruction Fuzzy Hash: C7C1B374E01218CFEB14DFA5C994B9DBBB2BF89304F1090AAD409AB365DB359E85CF50
                                                                                                                        Function 05440040 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 65f81ad817626926d8e0eafdf134fb2c858ef1be647493b25cc25d8cf04a215c
                                                                                                                        • Instruction ID: ec5ff73ed7d9b3f4e747e0602fd29ce8fab2558d867230e4d99503ceaf5e2307
                                                                                                                        • Opcode Fuzzy Hash: 65f81ad817626926d8e0eafdf134fb2c858ef1be647493b25cc25d8cf04a215c
                                                                                                                        • Instruction Fuzzy Hash: FAC1C374E01218CFEB54DFA5C994B9DBBB2BF89304F1080AAD409AB365DB359E85CF50
                                                                                                                        Function 054442A0 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 27bbadf455f14bf4ccac902c8f0f90fccadf2be9ffa698fef5eeabb6975557fc
                                                                                                                        • Instruction ID: ab06d0eb2a8221261f20f5ebe1202a95cd2d198cc36b9ce49f08942ac32441dc
                                                                                                                        • Opcode Fuzzy Hash: 27bbadf455f14bf4ccac902c8f0f90fccadf2be9ffa698fef5eeabb6975557fc
                                                                                                                        • Instruction Fuzzy Hash: A8C1B374E01218CFEB14DFA5C994B9DBBB2BF89304F2080AAD409AB365DB355E85CF50
                                                                                                                        Function 05440D48 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f57f57535dbb7bc9dc9f3ce2fd6b7c2cf88429f4fe20e389f7bafd612da9421f
                                                                                                                        • Instruction ID: 98cb9badeaee98409d619ed5c17971047a3dc5998ce13701139163c3572945cc
                                                                                                                        • Opcode Fuzzy Hash: f57f57535dbb7bc9dc9f3ce2fd6b7c2cf88429f4fe20e389f7bafd612da9421f
                                                                                                                        • Instruction Fuzzy Hash: 6FC1D374E01218CFEB14DFA5C994B9DBBB2BF88304F1094AAD409AB365DB359E85CF50
                                                                                                                        Function 05442CE8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 6712503b789eb631af0e8340865b36919b92da7e00c9105c1a5cd6c7cec61056
                                                                                                                        • Instruction ID: d7b01bff80aa33971a654c2d51a7743f5615c633366112236456afd703baed7f
                                                                                                                        • Opcode Fuzzy Hash: 6712503b789eb631af0e8340865b36919b92da7e00c9105c1a5cd6c7cec61056
                                                                                                                        • Instruction Fuzzy Hash: ECC1C474E01218CFDB14DFA5C954B9DBBB2BF89304F1084AAD409AB365DB355E85CF50
                                                                                                                        Function 05443E48 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 40171d4300680275c57afff55133f49dadf84f11c507bf4c818c7aa8e1f50212
                                                                                                                        • Instruction ID: 30d8ebf4f6dec949ca6e0e52bd550eda08684e1a2febae70a57af0d16971eb72
                                                                                                                        • Opcode Fuzzy Hash: 40171d4300680275c57afff55133f49dadf84f11c507bf4c818c7aa8e1f50212
                                                                                                                        • Instruction Fuzzy Hash: 14C1C374E01218CFEB14DFA5C994B9DBBB2BF89304F1084AAD409AB365DB359E85CF50
                                                                                                                        Function 05441EA8 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 1393aac3762f7254d515c20e279a52f78fa7d466183a058abaeb8cbe03ca8c56
                                                                                                                        • Instruction ID: d8f5e57fd25255cee918edbe8caa83accf3f976ef1548930df510950e06e60f0
                                                                                                                        • Opcode Fuzzy Hash: 1393aac3762f7254d515c20e279a52f78fa7d466183a058abaeb8cbe03ca8c56
                                                                                                                        • Instruction Fuzzy Hash: 14C1C374E05218CFDB14DFA5C994B9DBBB2BF89304F1080AAD409AB364DB359E85CF50
                                                                                                                        Function 054439F0 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 39c6576887f35971453d44352f41a5b6bc6c95d4edfba15befdcdcc96b660b6d
                                                                                                                        • Instruction ID: 49d607f552e768d81db4fda5a21f337f55cad2e27fcb8a83e26e15019a7db969
                                                                                                                        • Opcode Fuzzy Hash: 39c6576887f35971453d44352f41a5b6bc6c95d4edfba15befdcdcc96b660b6d
                                                                                                                        • Instruction Fuzzy Hash: F5C1B374E01218CFDB14DFA5C994B9DBBB2BF89304F2084AAD409AB355DB359E85CF50
                                                                                                                        Function 054408F0 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: dbab612c936c01d2e238d3dc5b76362b5e7031b918d65f70202b2e8065e7b9dc
                                                                                                                        • Instruction ID: 2b42ca8866095ad3a18a33a56068560997675d09af7093935baf891dcadfb67d
                                                                                                                        • Opcode Fuzzy Hash: dbab612c936c01d2e238d3dc5b76362b5e7031b918d65f70202b2e8065e7b9dc
                                                                                                                        • Instruction Fuzzy Hash: E8C1B474E01218CFEB14DFA5C994B9DBBB2BF89304F1080AAD809AB355DB355E85CF50
                                                                                                                        Function 05442890 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: f07862400cd3dfbb9f2f3a30946bf21c5d0aa4c8e8b58413bc9036f0f3cb6e40
                                                                                                                        • Instruction ID: 7cfefaa6b1066e7a82aa615beee2ba722283751c2dcce5dd639918d2d12e968b
                                                                                                                        • Opcode Fuzzy Hash: f07862400cd3dfbb9f2f3a30946bf21c5d0aa4c8e8b58413bc9036f0f3cb6e40
                                                                                                                        • Instruction Fuzzy Hash: 54C1C374E05218CFEB14DFA5C994B9DBBB2BF88304F1080AAD409AB365DB355E85CF50
                                                                                                                        Function 05444B50 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 04c2d8b140607624607f371f75046735162817a4951104389d964dc543da5a56
                                                                                                                        • Instruction ID: 9a8aa1d343d78a4e80701587671d3064f6d9927441866f8620b916853932ab8a
                                                                                                                        • Opcode Fuzzy Hash: 04c2d8b140607624607f371f75046735162817a4951104389d964dc543da5a56
                                                                                                                        • Instruction Fuzzy Hash: 1FC1B274E01218CFEB14DFA5C994B9DBBB2BF89304F1080AAD409AB365DB359E85CF50
                                                                                                                        Function 05441A50 Relevance: .3, Instructions: 268COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: cf3ae0dc9bfee96acbe7183872fabd9b9a7fa0dcf8afe6e940aca16432b2f7d3
                                                                                                                        • Instruction ID: 2a337d5b285a1be7dcd0d86721c9b7d847246dee58b79ae82fedc399f420dbc0
                                                                                                                        • Opcode Fuzzy Hash: cf3ae0dc9bfee96acbe7183872fabd9b9a7fa0dcf8afe6e940aca16432b2f7d3
                                                                                                                        • Instruction Fuzzy Hash: F6C1B474E01218CFDB14DFA5C994B9DBBB2BF89304F2090AAD409AB365DB359E85CF50
                                                                                                                        Function 05449120 Relevance: .0, Instructions: 44COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3022690771.0000000005440000.00000040.00000800.00020000.00000000.sdmp, Offset: 05440000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_5440000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID:
                                                                                                                        • API String ID:
                                                                                                                        • Opcode ID: 5aae39d9c5a75e8f3971df778f56d1ca60becf3b6c63a65f9571e231ed328fce
                                                                                                                        • Instruction ID: 3621a191333bb8f56e6a7a8ed39ce46c07618ed3e76b3e30bbd7b1a4f88ae104
                                                                                                                        • Opcode Fuzzy Hash: 5aae39d9c5a75e8f3971df778f56d1ca60becf3b6c63a65f9571e231ed328fce
                                                                                                                        • Instruction Fuzzy Hash: CA017C70C1A2009FDB00EFB0E89C7DE7F70EB0A312F445A9AE405971B2D7740645DB40
                                                                                                                        Function 00E71A40 Relevance: 5.1, Strings: 4, Instructions: 99COMMON
                                                                                                                        Download Yara Rule
                                                                                                                        Strings
                                                                                                                        Memory Dump Source
                                                                                                                        • Source File: 00000004.00000002.3019384819.0000000000E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E70000, based on PE: false
                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                        • Snapshot File: hcaresult_4_2_e70000_3qr7JBuNuX.jbxd
                                                                                                                        Similarity
                                                                                                                        • API ID:
                                                                                                                        • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                        • API String ID: 0-2732225958
                                                                                                                        • Opcode ID: ca8b7bd5f0e6008775495d6273ee96ff3b85f847e3f66ae6b364b6d17e7b5d97
                                                                                                                        • Instruction ID: 4196be57673498605b0554c624daaa8e8923582e3daf334cb3e28d24f57e11e7
                                                                                                                        • Opcode Fuzzy Hash: ca8b7bd5f0e6008775495d6273ee96ff3b85f847e3f66ae6b364b6d17e7b5d97
                                                                                                                        • Instruction Fuzzy Hash: BC318530E043198BDF64CB6D85403AEB7B6AB94310F1491B9C44DB7255DB30CD81CB92