Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MB263350411AE_1.scr.exe

Overview

General Information

Sample name:MB263350411AE_1.scr.exe
Analysis ID:1590687
MD5:e10205715f674c1e004c6dbfced1d278
SHA1:60a8841a8d7e074a81ed2f6a49b853b83ef220ca
SHA256:efd86329975988f4c9e3178d139e82558d9ab07bb53dea0c5b6d0b234bb5cd35
Tags:exescruser-Racco42
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • MB263350411AE_1.scr.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\MB263350411AE_1.scr.exe" MD5: E10205715F674C1E004C6DBFCED1D278)
    • powershell.exe (PID: 7588 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7892 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7608 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • MB263350411AE_1.scr.exe (PID: 7768 cmdline: "C:\Users\user\Desktop\MB263350411AE_1.scr.exe" MD5: E10205715F674C1E004C6DBFCED1D278)
  • nDVstwLnVvg.exe (PID: 7836 cmdline: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe MD5: E10205715F674C1E004C6DBFCED1D278)
    • schtasks.exe (PID: 7984 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1DC0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • nDVstwLnVvg.exe (PID: 8036 cmdline: "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe" MD5: E10205715F674C1E004C6DBFCED1D278)
    • nDVstwLnVvg.exe (PID: 8044 cmdline: "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe" MD5: E10205715F674C1E004C6DBFCED1D278)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": "         feXwu@m?K@@L               ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xf81f:$a1: get_encryptedPassword
        • 0xfb47:$a2: get_encryptedUsername
        • 0xf5ba:$a3: get_timePasswordChanged
        • 0xf6db:$a4: get_passwordField
        • 0xf835:$a5: set_encryptedPassword
        • 0x11191:$a7: get_logins
        • 0x10e42:$a8: GetOutlookPasswords
        • 0x10c34:$a9: StartKeylogger
        • 0x110e1:$a10: KeyLoggerEventArgs
        • 0x10c91:$a11: KeyLoggerEventArgsEventHandler
        00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 38 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.MB263350411AE_1.scr.exe.5310000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.MB263350411AE_1.scr.exe.2df45f0.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              7.2.nDVstwLnVvg.exe.43aa0a0.3.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                7.2.nDVstwLnVvg.exe.43aa0a0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  7.2.nDVstwLnVvg.exe.43aa0a0.3.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    Click to see the 36 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MB263350411AE_1.scr.exe", ParentImage: C:\Users\user\Desktop\MB263350411AE_1.scr.exe, ParentProcessId: 7428, ParentProcessName: MB263350411AE_1.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe", ProcessId: 7588, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MB263350411AE_1.scr.exe", ParentImage: C:\Users\user\Desktop\MB263350411AE_1.scr.exe, ParentProcessId: 7428, ParentProcessName: MB263350411AE_1.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe", ProcessId: 7588, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1DC0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1DC0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe, ParentImage: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe, ParentProcessId: 7836, ParentProcessName: nDVstwLnVvg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1DC0.tmp", ProcessId: 7984, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MB263350411AE_1.scr.exe", ParentImage: C:\Users\user\Desktop\MB263350411AE_1.scr.exe, ParentProcessId: 7428, ParentProcessName: MB263350411AE_1.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp", ProcessId: 7608, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\MB263350411AE_1.scr.exe", ParentImage: C:\Users\user\Desktop\MB263350411AE_1.scr.exe, ParentProcessId: 7428, ParentProcessName: MB263350411AE_1.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe", ProcessId: 7588, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\MB263350411AE_1.scr.exe", ParentImage: C:\Users\user\Desktop\MB263350411AE_1.scr.exe, ParentProcessId: 7428, ParentProcessName: MB263350411AE_1.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp", ProcessId: 7608, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-14T13:56:58.649423+010028032742Potentially Bad Traffic192.168.2.449735193.122.130.080TCP
                    2025-01-14T13:57:01.442234+010028032742Potentially Bad Traffic192.168.2.449737193.122.130.080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "serverhar244@gpsamsterdamqroup.com", "Password": " feXwu@m?K@@L ", "Server": "fiber13.dnsiaas.com", "To": "benfavour015@gmail.com", "Port": 587}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeReversingLabs: Detection: 31%
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeVirustotal: Detection: 36%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: MB263350411AE_1.scr.exeVirustotal: Detection: 36%Perma Link
                    Source: MB263350411AE_1.scr.exeReversingLabs: Detection: 23%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: MB263350411AE_1.scr.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: MB263350411AE_1.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49736 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49739 version: TLS 1.0
                    Source: MB263350411AE_1.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: yBlD.pdb source: MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.dr
                    Source: Binary string: yBlD.pdbSHA256> source: MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.dr
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 074C341Ch0_2_074C384C
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 074C341Ch0_2_074C3B75
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 00DF9731h6_2_00DF9480
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 00DF9E5Ah6_2_00DF9A40
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 00DF9E5Ah6_2_00DF9A30
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 00DF9E5Ah6_2_00DF9D87
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A47C9h6_2_054A4520
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A8830h6_2_054A8588
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054AF700h6_2_054AF458
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A76D0h6_2_054A7428
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A76D0h6_2_054A7428
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054AE9F8h6_2_054AE750
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A5929h6_2_054A5680
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A83D8h6_2_054A8130
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054AE5A0h6_2_054AE180
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054AF2A8h6_2_054AF000
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A54D1h6_2_054A5228
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A5079h6_2_054A4DD0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A7F80h6_2_054A7CD8
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A7278h6_2_054A6FD0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A4C21h6_2_054A4978
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A7B28h6_2_054A7880
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054AFB58h6_2_054AF8B0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054AEE50h6_2_054AEBA8
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 4x nop then jmp 054A5E15h6_2_054A5AD8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 07732704h7_2_07732B34
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 07732704h7_2_07732E5D
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 01239731h12_2_01239480
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 01239E5Ah12_2_01239A30
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 01239E5Ah12_2_01239D87
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B5E15h12_2_030B5AD8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B54D1h12_2_030B5228
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B83D8h12_2_030B8130
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030BE5A0h12_2_030BE180
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030BF2A8h12_2_030BF000
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030BE9F8h12_2_030BE750
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B5929h12_2_030B5680
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B47C9h12_2_030B4520
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B8830h12_2_030B8588
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B76D0h12_2_030B7428
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030BF700h12_2_030BF458
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030BEE50h12_2_030BEBA8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B4C21h12_2_030B4978
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B7B28h12_2_030B7880
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030BFB58h12_2_030BF8B0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B7278h12_2_030B6FD0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B5079h12_2_030B4DD0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 4x nop then jmp 030B7F80h12_2_030B7CD8
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
                    Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49735 -> 193.122.130.0:80
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49737 -> 193.122.130.0:80
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49736 version: TLS 1.0
                    Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49739 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000293A000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000313C000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000310C000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000296B000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000316B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000296B000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000316B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1708901730.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1723040304.0000000003336000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000310C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                    Source: MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 6.2.MB263350411AE_1.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 6.2.MB263350411AE_1.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7768, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: nDVstwLnVvg.exe PID: 7836, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 0_2_00EB42040_2_00EB4204
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 0_2_00EB70180_2_00EB7018
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 0_2_00EBD8EC0_2_00EBD8EC
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 0_2_074C32880_2_074C3288
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 0_2_074C64F00_2_074C64F0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 0_2_074C32780_2_074C3278
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_00DFC5306_2_00DFC530
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_00DF27B96_2_00DF27B9
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_00DF2DD16_2_00DF2DD1
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_00DF94806_2_00DF9480
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_00DFC5216_2_00DFC521
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_00DF946F6_2_00DF946F
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A61386_2_054A6138
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054ABC606_2_054ABC60
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AAF006_2_054AAF00
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A89E06_2_054A89E0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A85796_2_054A8579
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A450F6_2_054A450F
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A45206_2_054A4520
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A85886_2_054A8588
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AF4486_2_054AF448
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AF4586_2_054AF458
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A74286_2_054A7428
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A74186_2_054A7418
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A74286_2_054A7428
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AE7406_2_054AE740
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AE7506_2_054AE750
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A56806_2_054A5680
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A612A6_2_054A612A
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A81206_2_054A8120
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A81306_2_054A8130
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AE1806_2_054AE180
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AF0006_2_054AF000
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A03206_2_054A0320
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A03306_2_054A0330
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A13A86_2_054A13A8
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A521A6_2_054A521A
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A52286_2_054A5228
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A4DC06_2_054A4DC0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A4DD06_2_054A4DD0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A7CC86_2_054A7CC8
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A0CD86_2_054A0CD8
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A7CD86_2_054A7CD8
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A6FC36_2_054A6FC3
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A6FD06_2_054A6FD0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AEFF06_2_054AEFF0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A49696_2_054A4969
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A49786_2_054A4978
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A89D06_2_054A89D0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A78716_2_054A7871
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A78806_2_054A7880
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AF8A16_2_054AF8A1
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AF8B06_2_054AF8B0
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AEB986_2_054AEB98
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054AEBA86_2_054AEBA8
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A5ACA6_2_054A5ACA
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A5AD86_2_054A5AD8
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_054A0AB86_2_054A0AB8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_031D42047_2_031D4204
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_031D70187_2_031D7018
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_031DD8EC7_2_031DD8EC
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_05836C787_2_05836C78
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_058302C87_2_058302C8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_058302D87_2_058302D8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_05836C687_2_05836C68
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_0583F0087_2_0583F008
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_0583F0187_2_0583F018
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_077325707_2_07732570
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_077325617_2_07732561
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_077358A07_2_077358A0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E8CAB07_2_08E8CAB0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E8EB287_2_08E8EB28
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E8EB187_2_08E8EB18
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E8CEE87_2_08E8CEE8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E83F707_2_08E83F70
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E83F487_2_08E83F48
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E851807_2_08E85180
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E8D3207_2_08E8D320
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E8F4D87_2_08E8F4D8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_0123C53012_2_0123C530
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_012327B912_2_012327B9
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_01232DD112_2_01232DD1
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_0123948012_2_01239480
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_0123C52112_2_0123C521
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_0123946F12_2_0123946F
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B136112_2_030B1361
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B613812_2_030B6138
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B0AB812_2_030B0AB8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B5AD812_2_030B5AD8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B89E012_2_030B89E0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BAF0012_2_030BAF00
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BBC6012_2_030BBC60
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B032012_2_030B0320
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B033012_2_030B0330
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B521A12_2_030B521A
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B522812_2_030B5228
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B812012_2_030B8120
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B813012_2_030B8130
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BE18012_2_030BE180
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BF00012_2_030BF000
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BE74012_2_030BE740
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BE75012_2_030BE750
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B567012_2_030B5670
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B568012_2_030B5680
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B450F12_2_030B450F
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B452012_2_030B4520
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B857912_2_030B8579
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B858812_2_030B8588
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B741812_2_030B7418
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B742812_2_030B7428
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BF44812_2_030BF448
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BF45812_2_030BF458
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BEB9812_2_030BEB98
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BEBA812_2_030BEBA8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B5ACA12_2_030B5ACA
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B496912_2_030B4969
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B497812_2_030B4978
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B89D012_2_030B89D0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B787112_2_030B7871
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B788012_2_030B7880
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BF8A012_2_030BF8A0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BF8B012_2_030BF8B0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B6FC312_2_030B6FC3
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B6FC112_2_030B6FC1
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B6FD012_2_030B6FD0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030BEFF012_2_030BEFF0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B4DC012_2_030B4DC0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B4DD012_2_030B4DD0
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B7CC812_2_030B7CC8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B0CD812_2_030B0CD8
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B7CD812_2_030B7CD8
                    Source: MB263350411AE_1.scr.exeStatic PE information: invalid certificate
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1713691680.0000000005B8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameyBlD.exeB vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1715358753.0000000007510000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1712307029.0000000005310000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000000.1654644721.00000000005D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameyBlD.exeB vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1708901730.00000000029E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1705616469.0000000000C4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000000.00000002.1708901730.0000000002AC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2904272614.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2904607938.0000000000AF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exeBinary or memory string: OriginalFilenameyBlD.exeB vs MB263350411AE_1.scr.exe
                    Source: MB263350411AE_1.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 6.2.MB263350411AE_1.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 6.2.MB263350411AE_1.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7428, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7768, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: nDVstwLnVvg.exe PID: 7836, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: MB263350411AE_1.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: nDVstwLnVvg.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/11@2/2
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeFile created: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7992:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMutant created: \Sessions\1\BaseNamedObjects\jDDZSFHxEGhwuJFCXuaQH
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1488.tmpJump to behavior
                    Source: MB263350411AE_1.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: MB263350411AE_1.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.00000000029CC000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.00000000029AE000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.00000000031AE000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.00000000031BE000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.00000000031CC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: MB263350411AE_1.scr.exe, 00000000.00000000.1654644721.00000000005D2000.00000002.00000001.01000000.00000003.sdmp, nDVstwLnVvg.exe.0.drBinary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);
                    Source: MB263350411AE_1.scr.exeVirustotal: Detection: 36%
                    Source: MB263350411AE_1.scr.exeReversingLabs: Detection: 23%
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeFile read: C:\Users\user\Desktop\MB263350411AE_1.scr.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\MB263350411AE_1.scr.exe "C:\Users\user\Desktop\MB263350411AE_1.scr.exe"
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Users\user\Desktop\MB263350411AE_1.scr.exe "C:\Users\user\Desktop\MB263350411AE_1.scr.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1DC0.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess created: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess created: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Users\user\Desktop\MB263350411AE_1.scr.exe "C:\Users\user\Desktop\MB263350411AE_1.scr.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1DC0.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess created: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess created: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: MB263350411AE_1.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: MB263350411AE_1.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: MB263350411AE_1.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: yBlD.pdb source: MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.dr
                    Source: Binary string: yBlD.pdbSHA256> source: MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.dr
                    Source: MB263350411AE_1.scr.exeStatic PE information: 0x991B1B7B [Fri May 26 05:09:15 2051 UTC]
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_00DF07FF push ebx; retf 0000h6_2_00DF0802
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_00DF081F push ebx; retf 0000h6_2_00DF0822
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeCode function: 6_2_00DF0811 push ebx; retf 0000h6_2_00DF0812
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E884A7 push ds; retn 0005h7_2_08E884B2
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 7_2_08E88497 push ds; retn 0005h7_2_08E884A2
                    Source: MB263350411AE_1.scr.exeStatic PE information: section name: .text entropy: 7.631573035742171
                    Source: nDVstwLnVvg.exe.0.drStatic PE information: section name: .text entropy: 7.631573035742171
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeFile created: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7428, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: nDVstwLnVvg.exe PID: 7836, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: EB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: 29E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: 28E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: 8A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: 9A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: 9C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: AC70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: DF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: 48D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: 3300000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: 9060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: 7920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: A060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: B060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: 1230000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: 30D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory allocated: 2DE0000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7645Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1996Jump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exe TID: 7448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7852Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe TID: 7860Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: MB263350411AE_1.scr.exe, 00000006.00000002.2905258445.0000000000CE6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                    Source: nDVstwLnVvg.exe, 00000007.00000002.1721391107.0000000001533000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\er
                    Source: nDVstwLnVvg.exe, 0000000C.00000002.2906060230.0000000001336000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeCode function: 12_2_030B0AB8 LdrInitializeThunk,LdrInitializeThunk,12_2_030B0AB8
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeMemory written: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeProcess created: C:\Users\user\Desktop\MB263350411AE_1.scr.exe "C:\Users\user\Desktop\MB263350411AE_1.scr.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1DC0.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess created: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeProcess created: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Users\user\Desktop\MB263350411AE_1.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Users\user\Desktop\MB263350411AE_1.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.MB263350411AE_1.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7428, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7768, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: nDVstwLnVvg.exe PID: 7836, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.5310000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.2df45f0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.5310000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.2df45f0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.2bd27c0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.2b19e54.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1712307029.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1708901730.0000000002AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.MB263350411AE_1.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7428, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7768, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: nDVstwLnVvg.exe PID: 7836, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\MB263350411AE_1.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.MB263350411AE_1.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.2908519169.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2907398360.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7428, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7768, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: nDVstwLnVvg.exe PID: 7836, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: nDVstwLnVvg.exe PID: 8044, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.MB263350411AE_1.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7428, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7768, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: nDVstwLnVvg.exe PID: 7836, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.5310000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.2df45f0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.5310000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.2df45f0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.2bd27c0.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.2b19e54.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1712307029.0000000005310000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1708901730.0000000002AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.nDVstwLnVvg.exe.43aa0a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3a09990.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.MB263350411AE_1.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.MB263350411AE_1.scr.exe.3be5ac0.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7428, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: MB263350411AE_1.scr.exe PID: 7768, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: nDVstwLnVvg.exe PID: 7836, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Email Collection                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		LSASS Memory11
                    Security Software Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		31
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares1
                    Data from Local System                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS31
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                    Obfuscated Files or Information                    		LSA Secrets1
                    Application Window Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing                    		Cached Domain Credentials1
                    System Network Configuration Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSync1
                    File and Directory Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc Filesystem13
                    System Information Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590687 Sample: MB263350411AE_1.scr.exe Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 48 reallyfreegeoip.org 2->48 50 checkip.dyndns.org 2->50 52 checkip.dyndns.com 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 62 8 other signatures 2->62 8 MB263350411AE_1.scr.exe 7 2->8         started        12 nDVstwLnVvg.exe 5 2->12         started        signatures3 60 Tries to detect the country of the analysis system (by using the IP) 48->60 process4 file5 36 C:\Users\user\AppData\...\nDVstwLnVvg.exe, PE32 8->36 dropped 38 C:\Users\...\nDVstwLnVvg.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp1488.tmp, XML 8->40 dropped 42 C:\Users\user\...\MB263350411AE_1.scr.exe.log, ASCII 8->42 dropped 64 Uses schtasks.exe or at.exe to add and modify task schedules 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 powershell.exe 23 8->14         started        17 MB263350411AE_1.scr.exe 15 2 8->17         started        20 schtasks.exe 1 8->20         started        68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 22 nDVstwLnVvg.exe 12->22         started        24 schtasks.exe 1 12->24         started        26 nDVstwLnVvg.exe 12->26         started        signatures6 process7 dnsIp8 74 Loading BitLocker PowerShell Module 14->74 28 WmiPrvSE.exe 14->28         started        30 conhost.exe 14->30         started        44 checkip.dyndns.com 193.122.130.0, 49735, 49737, 80 ORACLE-BMC-31898US United States 17->44 46 reallyfreegeoip.org 104.21.16.1, 443, 49736, 49739 CLOUDFLARENETUS United States 17->46 32 conhost.exe 20->32         started        76 Tries to steal Mail credentials (via file / registry access) 22->76 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 34 conhost.exe 24->34         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    MB263350411AE_1.scr.exe36%VirustotalBrowse
                    MB263350411AE_1.scr.exe24%ReversingLabs
                    MB263350411AE_1.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe32%ReversingLabsByteCode-MSIL.Virus.Virut
                    C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe36%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.16.1
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		193.122.130.0
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            http://checkip.dyndns.org/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.apache.org/licenses/LICENSE-2.0MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersGMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/?MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.com/designers?MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://reallyfreegeoip.orgdMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000296B000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000316B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://tempuri.org/DataSet1.xsdMB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.drfalse
                                              		high
                                              http://www.tiro.comMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.orgMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000293A000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000313C000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designersMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.goodfont.co.krMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0MB263350411AE_1.scr.exe, nDVstwLnVvg.exe.0.drfalse
                                                        		high
                                                        http://www.carterandcone.comlMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.sajatypeworks.comMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.typography.netDMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.fontbureau.com/designers/cabarga.htmlNMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/cTheMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.galapagosdesign.com/staff/dennis.htmMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.founder.com.cn/cnMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.fontbureau.com/designers/frere-user.htmlMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://reallyfreegeoip.org/xml/8.46.123.189lMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://checkip.dyndns.comdMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://checkip.dyndns.org/qMB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.jiyu-kobo.co.jp/MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.org/xml/8.46.123.189dMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://reallyfreegeoip.orgMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000296B000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000316B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://checkip.dyndns.orgdMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.galapagosdesign.com/DPleaseMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://reallyfreegeoip.orgMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.fontbureau.com/designers8MB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.fonts.comMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.sandoll.co.krMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://checkip.dyndns.comMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.urwpp.deDPleaseMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.zhongyicts.com.cnMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://checkip.dyndns.org/dMB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMB263350411AE_1.scr.exe, 00000000.00000002.1708901730.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1723040304.0000000003336000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000310C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.sakkal.comMB263350411AE_1.scr.exe, 00000000.00000002.1714574127.0000000006D52000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://api.telegram.org/bot-/sendDocument?chat_id=MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://reallyfreegeoip.org/xml/MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, MB263350411AE_1.scr.exe, 00000006.00000002.2907398360.000000000294E000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, nDVstwLnVvg.exe, 0000000C.00000002.2908519169.000000000314E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high

                                                                                                                World Map of Contacted IPs

                                                                                                                • No. of IPs < 25%
                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                • 75% < No. of IPs

                                                                                                                Public IPs

                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                104.21.16.1
                                                                                                                		reallyfreegeoip.orgUnited States
                                                                                                                		13335CLOUDFLARENETUSfalse
                                                                                                                193.122.130.0
                                                                                                                		checkip.dyndns.comUnited States
                                                                                                                		31898ORACLE-BMC-31898USfalse

                                                                                                                General Information

                                                                                                                Joe Sandbox version:42.0.0 Malachite
                                                                                                                Analysis ID:1590687
                                                                                                                Start date and time:2025-01-14 13:56:05 +01:00
                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                Overall analysis duration:0h 6m 46s
                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                Report type:full
                                                                                                                Cookbook file name:default.jbs
                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                Number of analysed new started processes analysed:17
                                                                                                                Number of new started drivers analysed:0
                                                                                                                Number of existing processes analysed:0
                                                                                                                Number of existing drivers analysed:0
                                                                                                                Number of injected processes analysed:0
                                                                                                                Technologies:
                                                                                                                • HCA enabled
                                                                                                                • EGA enabled
                                                                                                                • AMSI enabled
                                                                                                                Analysis Mode:default
                                                                                                                Analysis stop reason:Timeout
                                                                                                                Sample name:MB263350411AE_1.scr.exe
                                                                                                                Detection:MAL
                                                                                                                Classification:mal100.troj.spyw.evad.winEXE@18/11@2/2
                                                                                                                EGA Information:
                                                                                                                • Successful, ratio: 75%
                                                                                                                HCA Information:
                                                                                                                • Successful, ratio: 99%
                                                                                                                • Number of executed functions: 170
                                                                                                                • Number of non-executed functions: 6
                                                                                                                Cookbook Comments:
                                                                                                                • Found application associated with file extension: .exe

                                                                                                                Warnings

                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.12.23.50, 13.107.246.45
                                                                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                • Execution Graph export aborted for target MB263350411AE_1.scr.exe, PID 7768 because it is empty
                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                Simulations

                                                                                                                Behavior and APIs

                                                                                                                TimeTypeDescription
                                                                                                                07:56:55API Interceptor1x Sleep call for process: MB263350411AE_1.scr.exe modified
                                                                                                                07:56:57API Interceptor12x Sleep call for process: powershell.exe modified
                                                                                                                07:56:58API Interceptor1x Sleep call for process: nDVstwLnVvg.exe modified
                                                                                                                12:56:57Task SchedulerRun new task: nDVstwLnVvg path: C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe

                                                                                                                Joe Sandbox View / Context

                                                                                                                IPs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                104.21.16.1MACHINE SPECIFICATIONS.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.mzkd6gp5.top/3u0p/
                                                                                                                1001-13.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.mzkd6gp5.top/utww/
                                                                                                                trow.exeGet hashmaliciousUnknownBrowse
                                                                                                                • www.wifi4all.nl/
                                                                                                                8L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.rafconstrutora.online/0xli/
                                                                                                                NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                                                                                • www.kkpmoneysocial.top/86am/
                                                                                                                JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                                                                                193.122.130.0slime crypted.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                MB263350411AE.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                Remittance Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                b6AGgIJ87g.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                Qg79mitNvD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                dZMT94YYwO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                n0nsAzvYNd.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/
                                                                                                                rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • checkip.dyndns.org/

                                                                                                                Domains

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                checkip.dyndns.comABG Draft.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 158.101.44.242
                                                                                                                RENH3RE2025QUOTE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                tN8GsMV1le.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 132.226.8.169
                                                                                                                slime crypted.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 193.122.130.0
                                                                                                                rOrders.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 132.226.247.73
                                                                                                                MB263350411AE.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 193.122.130.0
                                                                                                                QUOTATION REQUIRED_Enatel s.r.l..bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 132.226.8.169
                                                                                                                Remittance Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 193.122.130.0
                                                                                                                SOA.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 158.101.44.242
                                                                                                                reallyfreegeoip.orgABG Draft.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.64.1
                                                                                                                RENH3RE2025QUOTE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.80.1
                                                                                                                PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                tN8GsMV1le.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.32.1
                                                                                                                slime crypted.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.48.1
                                                                                                                rOrders.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 104.21.32.1
                                                                                                                MB263350411AE.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.112.1
                                                                                                                QUOTATION REQUIRED_Enatel s.r.l..bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.112.1
                                                                                                                Remittance Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.32.1
                                                                                                                SOA.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.112.1

                                                                                                                ASNs

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                CLOUDFLARENETUSVRO.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 172.67.74.152
                                                                                                                mP8rzGD7fG.dllGet hashmaliciousUnknownBrowse
                                                                                                                • 104.26.13.205
                                                                                                                VRO.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.26.12.205
                                                                                                                mP8rzGD7fG.dllGet hashmaliciousUnknownBrowse
                                                                                                                • 172.67.74.152
                                                                                                                iTVsz8WAu4.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 172.67.74.152
                                                                                                                HLi4q5WAh3.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 172.67.74.152
                                                                                                                e0691gXIKs.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.26.12.205
                                                                                                                hJ1bl8p7dJ.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.26.12.205
                                                                                                                Y4TyDwQzbE.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 104.26.12.205
                                                                                                                DYv2ldz5xT.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 172.67.74.152
                                                                                                                ORACLE-BMC-31898USABG Draft.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 158.101.44.242
                                                                                                                http://ubiquitous-twilight-c9292b.netlify.app/Get hashmaliciousUnknownBrowse
                                                                                                                • 129.213.176.209
                                                                                                                slime crypted.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 193.122.130.0
                                                                                                                MB263350411AE.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 193.122.130.0
                                                                                                                Remittance Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 193.122.130.0
                                                                                                                SOA.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 158.101.44.242
                                                                                                                FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 158.101.44.242
                                                                                                                trow.exeGet hashmaliciousUnknownBrowse
                                                                                                                • 147.154.3.56
                                                                                                                nfKqna8HuC.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 158.101.44.242
                                                                                                                mnXS9meqtB.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 193.122.6.168

                                                                                                                JA3 Fingerprints

                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                54328bd36c14bd82ddaa0c04b25ed9adABG Draft.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                RENH3RE2025QUOTE.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                PI ITS15235.docGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                tN8GsMV1le.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.16.1
                                                                                                                slime crypted.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.16.1
                                                                                                                rOrders.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                MB263350411AE.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                QUOTATION REQUIRED_Enatel s.r.l..bat.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                • 104.21.16.1
                                                                                                                Remittance Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                • 104.21.16.1
                                                                                                                SOA.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                • 104.21.16.1

                                                                                                                Dropped Files

                                                                                                                No context

                                                                                                                Created / dropped Files

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MB263350411AE_1.scr.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\MB263350411AE_1.scr.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:modified
                                                                                                                Size (bytes):1216
                                                                                                                Entropy (8bit):5.34331486778365
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                Malicious:true
                                                                                                                Reputation:high, very likely benign file
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nDVstwLnVvg.exe.log

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1216
                                                                                                                Entropy (8bit):5.34331486778365
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                                Malicious:false
                                                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:data
                                                                                                                Category:dropped
                                                                                                                Size (bytes):2232
                                                                                                                Entropy (8bit):5.380285623575084
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:48:+WSU4xympjgs4RIoU99tK8NPZHUl7u1iMuge//ZLv0Uyus:+LHxvCsIfA2KRHmOug4v1s
                                                                                                                MD5:1C89C8A3990612CACC689D040645A6B8
                                                                                                                SHA1:C49EF47A626B65297DEF7BBCD227DBFF6FDA199B
                                                                                                                SHA-256:9EBD52015C266B88B16EC670B7DF1A9D8DE7D819026E1D57B9BCB1A34344D3A7
                                                                                                                SHA-512:38FC87F59CB6F9EBEB64EE23255672ECF9C4509EABEDC8050DD2F111D1E5D19A5A857DA25091559F685CEE49BB712798ABBCD7C9E10CC30909B1FFF193EC730D
                                                                                                                Malicious:false
                                                                                                                Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4aofbqg1.hr4.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htqjajva.q20.ps1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_powqw24z.c0j.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qivsc5nn.s4r.psm1

                                                                                                                Download File
                                                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                File Type:ASCII text, with no line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):60
                                                                                                                Entropy (8bit):4.038920595031593
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                Malicious:false
                                                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                C:\Users\user\AppData\Local\Temp\tmp1488.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\MB263350411AE_1.scr.exe
                                                                                                                File Type:XML 1.0 document, ASCII text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1577
                                                                                                                Entropy (8bit):5.111166461994292
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtagxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTrv
                                                                                                                MD5:A0B7E442D44FF986F0EC57347DA31814
                                                                                                                SHA1:347E20765D4A9C996DFA0FB290953D0021E658D3
                                                                                                                SHA-256:D8F76345B7E351DAA7139F735C508D46CB1A57F78C1ACA507F9D6817B910F18C
                                                                                                                SHA-512:E8B6B470AA8AE878BFC73749DC4D75521DBD004CABE2715EDE773D988436D4835B19C8B1B8075AEF805A1C4C5AB4B2A75F66229C921EACE4C04BE4DB9BAC6DF7
                                                                                                                Malicious:true
                                                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                C:\Users\user\AppData\Local\Temp\tmp1DC0.tmp

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe
                                                                                                                File Type:XML 1.0 document, ASCII text
                                                                                                                Category:dropped
                                                                                                                Size (bytes):1577
                                                                                                                Entropy (8bit):5.111166461994292
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtagxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTrv
                                                                                                                MD5:A0B7E442D44FF986F0EC57347DA31814
                                                                                                                SHA1:347E20765D4A9C996DFA0FB290953D0021E658D3
                                                                                                                SHA-256:D8F76345B7E351DAA7139F735C508D46CB1A57F78C1ACA507F9D6817B910F18C
                                                                                                                SHA-512:E8B6B470AA8AE878BFC73749DC4D75521DBD004CABE2715EDE773D988436D4835B19C8B1B8075AEF805A1C4C5AB4B2A75F66229C921EACE4C04BE4DB9BAC6DF7
                                                                                                                Malicious:false
                                                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                                                C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\MB263350411AE_1.scr.exe
                                                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Category:dropped
                                                                                                                Size (bytes):578056
                                                                                                                Entropy (8bit):7.630220307130998
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:12288:0YRxA4Y5lyA/BxSPCFrbVZ4vKb6II6fcqQ236XRNBIFVkR:rRYpgKmL6tIXRv2o
                                                                                                                MD5:E10205715F674C1E004C6DBFCED1D278
                                                                                                                SHA1:60A8841A8D7E074A81ED2F6A49B853B83EF220CA
                                                                                                                SHA-256:EFD86329975988F4C9E3178D139E82558D9AB07BB53DEA0C5B6D0B234BB5CD35
                                                                                                                SHA-512:3C67CA7D358C2C6D1AE402B77F5759C3F8C6F935E639299000B8F396703284CBBD2C050365ACDF2F61279BB789EEB0E3377E06E94C98BD75CFBBE13F231F32A3
                                                                                                                Malicious:true
                                                                                                                Antivirus:
                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                • Antivirus: ReversingLabs, Detection: 32%
                                                                                                                • Antivirus: Virustotal, Detection: 36%, Browse
                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.................0.................. ........@.. ....................................@.................................k...O........................6..............p............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......hK..\=......9...................................................0..L.........}.....(.......(......(............s......(.....o......( ....o!.....("....*.0..K.........}........(#........($.....,5...(............s......(.....o......(.....o!....8.....r...p.J...(%...o&...tJ.......('..........9.....s.........s(...s)...o*.......o+...(,.......o-...(........o/...(0.......o1...(2.......o3...(4.......o5...(6.........(7.....(......+....s(...s)...(*........(8...........s......(..

                                                                                                                C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe:Zone.Identifier

                                                                                                                Download File
                                                                                                                Process:C:\Users\user\Desktop\MB263350411AE_1.scr.exe
                                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                                Category:dropped
                                                                                                                Size (bytes):26
                                                                                                                Entropy (8bit):3.95006375643621
                                                                                                                Encrypted:false
                                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                Malicious:true
                                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                Static File Info

                                                                                                                General

                                                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                Entropy (8bit):7.630220307130998
                                                                                                                TrID:
                                                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                File name:MB263350411AE_1.scr.exe
                                                                                                                File size:578'056 bytes
                                                                                                                MD5:e10205715f674c1e004c6dbfced1d278
                                                                                                                SHA1:60a8841a8d7e074a81ed2f6a49b853b83ef220ca
                                                                                                                SHA256:efd86329975988f4c9e3178d139e82558d9ab07bb53dea0c5b6d0b234bb5cd35
                                                                                                                SHA512:3c67ca7d358c2c6d1ae402b77f5759c3f8c6f935e639299000b8f396703284cbbd2c050365acdf2f61279bb789eeb0e3377e06e94c98bd75cfbbe13f231f32a3
                                                                                                                SSDEEP:12288:0YRxA4Y5lyA/BxSPCFrbVZ4vKb6II6fcqQ236XRNBIFVkR:rRYpgKmL6tIXRv2o
                                                                                                                TLSH:3DC40154321AE902C0960B701A72D3F96B359E99BA20C353DFE97EFFBD367812640352
                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{.................0.................. ........@.. ....................................@................................

                                                                                                                File Icon

                                                                                                                Icon Hash:90cececece8e8eb0

                                                                                                                Static PE Info

                                                                                                                General

                                                                                                                Entrypoint:0x48b0be
                                                                                                                Entrypoint Section:.text
                                                                                                                Digitally signed:true
                                                                                                                Imagebase:0x400000
                                                                                                                Subsystem:windows gui
                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                Time Stamp:0x991B1B7B [Fri May 26 05:09:15 2051 UTC]
                                                                                                                TLS Callbacks:
                                                                                                                CLR (.Net) Version:
                                                                                                                OS Version Major:4
                                                                                                                OS Version Minor:0
                                                                                                                File Version Major:4
                                                                                                                File Version Minor:0
                                                                                                                Subsystem Version Major:4
                                                                                                                Subsystem Version Minor:0
                                                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                Authenticode Signature

                                                                                                                Signature Valid:false
                                                                                                                Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                                                Error Number:-2146869232
                                                                                                                Not Before, Not After
                                                                                                                • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                                                                                Subject Chain
                                                                                                                • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                                                Version:3
                                                                                                                Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                                                Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                                                Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                                                Serial:7C1118CBBADC95DA3752C46E47A27438

                                                                                                                Entrypoint Preview

                                                                                                                Instruction
                                                                                                                jmp dword ptr [00402000h]
                                                                                                                call far 0000h : 003E9999h
                                                                                                                aas
                                                                                                                int CCh
                                                                                                                dec esp
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al
                                                                                                                add byte ptr [eax], al

                                                                                                                Data Directories

                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8b06b0x4f.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000x5e0.rsrc
                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x89c000x3608
                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x8e0000xc.reloc
                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x8989c0x70.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                Sections

                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                .text0x20000x890d40x89200a2f64e1954e02b69fa4c6cd00bd720d1False0.8936517206016409data7.631573035742171IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                .rsrc0x8c0000x5e00x60085bad13ef3de22f53b3b0a54a65a1a39False0.4329427083333333data4.164283067317504IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                .reloc0x8e0000xc0x200f4e2a06343b3e98c7992d27b773b22d8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                Resources

                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                RT_VERSION0x8c0900x350data0.42452830188679247
                                                                                                                RT_MANIFEST0x8c3f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                Imports

                                                                                                                DLLImport
                                                                                                                mscoree.dll_CorExeMain

                                                                                                                Network Behavior

                                                                                                                Suricata IDS Alerts

                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                2025-01-14T13:56:58.649423+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449735193.122.130.080TCP
                                                                                                                2025-01-14T13:57:01.442234+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449737193.122.130.080TCP

                                                                                                                Network Port Distribution

                                                                                                                TCP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Jan 14, 2025 13:56:58.001986980 CET4973580192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:56:58.006875038 CET8049735193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:56:58.006933928 CET4973580192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:56:58.007150888 CET4973580192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:56:58.011940002 CET8049735193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:56:58.482489109 CET8049735193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:56:58.490120888 CET4973580192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:56:58.495034933 CET8049735193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:56:58.594799042 CET8049735193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:56:58.604175091 CET49736443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:56:58.604223967 CET44349736104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:56:58.604290962 CET49736443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:56:58.611109018 CET49736443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:56:58.611124039 CET44349736104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:56:58.649422884 CET4973580192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:56:59.074851036 CET44349736104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:56:59.075011015 CET49736443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:56:59.079155922 CET49736443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:56:59.079169989 CET44349736104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:56:59.079457998 CET44349736104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:56:59.126729965 CET49736443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:56:59.167356968 CET44349736104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:56:59.234988928 CET44349736104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:56:59.235048056 CET44349736104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:56:59.235235929 CET49736443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:56:59.247643948 CET49736443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:57:00.300474882 CET4973780192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:57:00.305622101 CET8049737193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:57:00.305696011 CET4973780192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:57:00.311870098 CET4973780192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:57:00.316889048 CET8049737193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.103172064 CET8049737193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.109560013 CET4973780192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:57:01.114382982 CET8049737193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.232258081 CET8049737193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.234155893 CET49739443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:57:01.234198093 CET44349739104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.234262943 CET49739443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:57:01.237883091 CET49739443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:57:01.237920046 CET44349739104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.442164898 CET8049737193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.442234039 CET4973780192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:57:01.720171928 CET44349739104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.720276117 CET49739443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:57:01.721863985 CET49739443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:57:01.721879005 CET44349739104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.722266912 CET44349739104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.766587973 CET49739443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:57:01.807329893 CET44349739104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.882544041 CET44349739104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.882606983 CET44349739104.21.16.1192.168.2.4
                                                                                                                Jan 14, 2025 13:57:01.882721901 CET49739443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:57:01.885422945 CET49739443192.168.2.4104.21.16.1
                                                                                                                Jan 14, 2025 13:58:03.595369101 CET8049735193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:58:03.595484972 CET4973580192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:58:06.231836081 CET8049737193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:58:06.231909990 CET4973780192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:58:38.603637934 CET4973580192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:58:38.608592987 CET8049735193.122.130.0192.168.2.4
                                                                                                                Jan 14, 2025 13:58:41.243664026 CET4973780192.168.2.4193.122.130.0
                                                                                                                Jan 14, 2025 13:58:41.248574018 CET8049737193.122.130.0192.168.2.4

                                                                                                                UDP Packets

                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                Jan 14, 2025 13:56:57.989805937 CET6150853192.168.2.41.1.1.1
                                                                                                                Jan 14, 2025 13:56:57.996706963 CET53615081.1.1.1192.168.2.4
                                                                                                                Jan 14, 2025 13:56:58.596271038 CET6435653192.168.2.41.1.1.1
                                                                                                                Jan 14, 2025 13:56:58.603367090 CET53643561.1.1.1192.168.2.4

                                                                                                                DNS Queries

                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                Jan 14, 2025 13:56:57.989805937 CET192.168.2.41.1.1.10x7741Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:58.596271038 CET192.168.2.41.1.1.10x6683Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                                                                                DNS Answers

                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                Jan 14, 2025 13:56:57.996706963 CET1.1.1.1192.168.2.40x7741No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:57.996706963 CET1.1.1.1192.168.2.40x7741No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:57.996706963 CET1.1.1.1192.168.2.40x7741No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:57.996706963 CET1.1.1.1192.168.2.40x7741No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:57.996706963 CET1.1.1.1192.168.2.40x7741No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:57.996706963 CET1.1.1.1192.168.2.40x7741No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:58.603367090 CET1.1.1.1192.168.2.40x6683No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:58.603367090 CET1.1.1.1192.168.2.40x6683No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:58.603367090 CET1.1.1.1192.168.2.40x6683No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:58.603367090 CET1.1.1.1192.168.2.40x6683No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:58.603367090 CET1.1.1.1192.168.2.40x6683No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:58.603367090 CET1.1.1.1192.168.2.40x6683No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                Jan 14, 2025 13:56:58.603367090 CET1.1.1.1192.168.2.40x6683No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false

                                                                                                                HTTP Request Dependency Graph

                                                                                                                • reallyfreegeoip.org
                                                                                                                • checkip.dyndns.org

                                                                                                                HTTP Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.449735193.122.130.0807768C:\Users\user\Desktop\MB263350411AE_1.scr.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 14, 2025 13:56:58.007150888 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 14, 2025 13:56:58.482489109 CET321INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 14 Jan 2025 12:56:58 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                X-Request-ID: f7ed56eff7ac1664d58b241bc65ab820
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 14, 2025 13:56:58.490120888 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 14, 2025 13:56:58.594799042 CET321INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 14 Jan 2025 12:56:58 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                X-Request-ID: 402970175e9e8e9bc809c2a41ce8682d
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.449737193.122.130.0808044C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                Jan 14, 2025 13:57:00.311870098 CET151OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Connection: Keep-Alive
                                                                                                                Jan 14, 2025 13:57:01.103172064 CET321INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 14 Jan 2025 12:57:01 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                X-Request-ID: f5d76f813b0a090fffa6a527dd376d53
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 14, 2025 13:57:01.109560013 CET127OUTGET / HTTP/1.1
                                                                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                Host: checkip.dyndns.org
                                                                                                                Jan 14, 2025 13:57:01.232258081 CET321INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 14 Jan 2025 12:57:01 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                X-Request-ID: f21fb4cc930a4c42e6b24b2256851c40
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                Jan 14, 2025 13:57:01.442164898 CET321INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 14 Jan 2025 12:57:01 GMT
                                                                                                                Content-Type: text/html
                                                                                                                Content-Length: 104
                                                                                                                Connection: keep-alive
                                                                                                                Cache-Control: no-cache
                                                                                                                Pragma: no-cache
                                                                                                                X-Request-ID: f21fb4cc930a4c42e6b24b2256851c40
                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                HTTPS Proxied Packets

                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                0192.168.2.449736104.21.16.14437768C:\Users\user\Desktop\MB263350411AE_1.scr.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-14 12:56:59 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-14 12:56:59 UTC861INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 14 Jan 2025 12:56:59 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 2174208
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9rgDGI9PsJt6Xf5q4u8FqdmarpUmW%2FXyrPC0vXJ%2FUHXjClLEDVDvsSj3PxsT0gzcAFYGFZf%2FmknEeVB0njXurjt4o8%2BRal7UaOCfc%2FLWQAwJPRer5F8fa16%2Fx09yxbjq3IszjT5t"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 901dca09dde18ce0-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1770&rtt_var=678&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1598248&cwnd=215&unsent_bytes=0&cid=65c09c59725d7ee9&ts=172&x=0"
                                                                                                                2025-01-14 12:56:59 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                1192.168.2.449739104.21.16.14438044C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe
                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                2025-01-14 12:57:01 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                Host: reallyfreegeoip.org
                                                                                                                Connection: Keep-Alive
                                                                                                                2025-01-14 12:57:01 UTC863INHTTP/1.1 200 OK
                                                                                                                Date: Tue, 14 Jan 2025 12:57:01 GMT
                                                                                                                Content-Type: text/xml
                                                                                                                Content-Length: 362
                                                                                                                Connection: close
                                                                                                                Age: 2174210
                                                                                                                Cache-Control: max-age=31536000
                                                                                                                cf-cache-status: HIT
                                                                                                                last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XAGAYIEApIc%2FhM7J9Jos%2FS3MrEeyuu2%2BmAsFoyFtGlly9b4p%2B%2FgxKu3iyfpreeeDIcpAtf8rBzKZjn%2FlDuYwyzk9J4UJXfqMbIWNlCXLCMmmwkbPA%2FK1hftUzjMhxfRdQVgb7cMi"}],"group":"cf-nel","max_age":604800}
                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                Server: cloudflare
                                                                                                                CF-RAY: 901dca1a5cb24388-EWR
                                                                                                                alt-svc: h3=":443"; ma=86400
                                                                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1609&min_rtt=1608&rtt_var=605&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1803582&cwnd=221&unsent_bytes=0&cid=9eff27e5f79cac43&ts=169&x=0"
                                                                                                                2025-01-14 12:57:01 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                Statistics

                                                                                                                CPU Usage

                                                                                                                Click to jump to process

                                                                                                                Memory Usage

                                                                                                                Click to jump to process

                                                                                                                High Level Behavior Distribution

                                                                                                                Click to dive into process behavior distribution

                                                                                                                Behavior

                                                                                                                Click to jump to process

                                                                                                                System Behavior

                                                                                                                General

                                                                                                                Target ID:0
                                                                                                                Start time:07:56:54
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Users\user\Desktop\MB263350411AE_1.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\MB263350411AE_1.scr.exe"
                                                                                                                Imagebase:0x5d0000
                                                                                                                File size:578'056 bytes
                                                                                                                MD5 hash:E10205715F674C1E004C6DBFCED1D278
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1712307029.0000000005310000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1709843168.0000000003A09000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1709843168.0000000003BE5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1709843168.0000000003A27000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1708901730.0000000002AC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:2
                                                                                                                Start time:07:56:56
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"
                                                                                                                Imagebase:0xc10000
                                                                                                                File size:433'152 bytes
                                                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:3
                                                                                                                Start time:07:56:56
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:4
                                                                                                                Start time:07:56:56
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1488.tmp"
                                                                                                                Imagebase:0x450000
                                                                                                                File size:187'904 bytes
                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:5
                                                                                                                Start time:07:56:56
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:6
                                                                                                                Start time:07:56:57
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Users\user\Desktop\MB263350411AE_1.scr.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\Desktop\MB263350411AE_1.scr.exe"
                                                                                                                Imagebase:0x690000
                                                                                                                File size:578'056 bytes
                                                                                                                MD5 hash:E10205715F674C1E004C6DBFCED1D278
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:true
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.2904272614.0000000000403000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2907398360.00000000029F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:low
                                                                                                                Has exited:false

                                                                                                                General

                                                                                                                Target ID:7
                                                                                                                Start time:07:56:57
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe
                                                                                                                Imagebase:0xf40000
                                                                                                                File size:578'056 bytes
                                                                                                                MD5 hash:E10205715F674C1E004C6DBFCED1D278
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.1743871587.0000000004507000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.1743871587.00000000043AA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                Antivirus matches:
                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                • Detection: 32%, ReversingLabs
                                                                                                                • Detection: 36%, Virustotal, Browse
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:8
                                                                                                                Start time:07:56:58
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                Imagebase:0x7ff693ab0000
                                                                                                                File size:496'640 bytes
                                                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                Has elevated privileges:true
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:9
                                                                                                                Start time:07:56:58
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nDVstwLnVvg" /XML "C:\Users\user\AppData\Local\Temp\tmp1DC0.tmp"
                                                                                                                Imagebase:0x450000
                                                                                                                File size:187'904 bytes
                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:10
                                                                                                                Start time:07:56:58
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                File size:862'208 bytes
                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:high
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:11
                                                                                                                Start time:07:56:59
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe
                                                                                                                Wow64 process (32bit):false
                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"
                                                                                                                Imagebase:0x180000
                                                                                                                File size:578'056 bytes
                                                                                                                MD5 hash:E10205715F674C1E004C6DBFCED1D278
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Reputation:low
                                                                                                                Has exited:true

                                                                                                                General

                                                                                                                Target ID:12
                                                                                                                Start time:07:56:59
                                                                                                                Start date:14/01/2025
                                                                                                                Path:C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe
                                                                                                                Wow64 process (32bit):true
                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\nDVstwLnVvg.exe"
                                                                                                                Imagebase:0xbd0000
                                                                                                                File size:578'056 bytes
                                                                                                                MD5 hash:E10205715F674C1E004C6DBFCED1D278
                                                                                                                Has elevated privileges:false
                                                                                                                Has administrator privileges:false
                                                                                                                Programmed in:C, C++ or other language
                                                                                                                Yara matches:
                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2908519169.00000000031F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                Reputation:low
                                                                                                                Has exited:false

                                                                                                                Disassembly

                                                                                                                Reset < >

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:11.8%
                                                                                                                  Dynamic/Decrypted Code Coverage:97.5%
                                                                                                                  Signature Coverage:0%
                                                                                                                  Total number of Nodes:122
                                                                                                                  Total number of Limit Nodes:12
                                                                                                                  execution_graph 31877 eb4668 31878 eb467a 31877->31878 31879 eb4686 31878->31879 31881 eb4778 31878->31881 31882 eb477c 31881->31882 31886 eb4888 31882->31886 31890 eb4878 31882->31890 31888 eb48af 31886->31888 31887 eb498c 31887->31887 31888->31887 31894 eb44f0 31888->31894 31892 eb487c 31890->31892 31891 eb498c 31891->31891 31892->31891 31893 eb44f0 CreateActCtxA 31892->31893 31893->31891 31895 eb5918 CreateActCtxA 31894->31895 31897 eb59db 31895->31897 31897->31897 31898 ebd378 31899 ebd3be 31898->31899 31903 ebd558 31899->31903 31906 ebd547 31899->31906 31900 ebd4ab 31910 ebb3b0 31903->31910 31907 ebd554 31906->31907 31908 ebb3b0 DuplicateHandle 31907->31908 31909 ebd586 31908->31909 31909->31900 31911 ebd9c8 DuplicateHandle 31910->31911 31912 ebd586 31911->31912 31912->31900 31913 4fb3088 31915 4fb30bf 31913->31915 31914 4fb3218 31915->31914 31918 4fb5981 31915->31918 31922 4fb5990 31915->31922 31919 4fb5990 31918->31919 31926 4fb0e84 31919->31926 31923 4fb59a0 31922->31923 31924 4fb0e84 DrawTextExW 31923->31924 31925 4fb59dc 31924->31925 31925->31914 31928 4fb0e8f 31926->31928 31927 4fb232b 31927->31914 31928->31927 31930 4fb0e94 31928->31930 31931 4fb0e9f 31930->31931 31935 4fb96c2 31931->31935 31939 4fb96d0 31931->31939 31932 4fb96b7 31932->31927 31936 4fb96d9 31935->31936 31943 4fb9708 31936->31943 31937 4fb96fe 31937->31932 31940 4fb96d9 31939->31940 31942 4fb9708 DrawTextExW 31940->31942 31941 4fb96fe 31941->31932 31942->31941 31944 4fb9742 31943->31944 31945 4fb9753 31943->31945 31944->31937 31946 4fb97e1 31945->31946 31949 4fb9a31 31945->31949 31954 4fb9a40 31945->31954 31946->31937 31950 4fb9a68 31949->31950 31951 4fb9b6e 31950->31951 31959 4fba2d0 31950->31959 31964 4fba2c0 31950->31964 31951->31944 31955 4fb9a68 31954->31955 31956 4fb9b6e 31955->31956 31957 4fba2d0 DrawTextExW 31955->31957 31958 4fba2c0 DrawTextExW 31955->31958 31956->31944 31957->31956 31958->31956 31960 4fba2e6 31959->31960 31969 4fba729 31960->31969 31973 4fba738 31960->31973 31961 4fba35c 31961->31951 31965 4fba2e6 31964->31965 31967 4fba729 DrawTextExW 31965->31967 31968 4fba738 DrawTextExW 31965->31968 31966 4fba35c 31966->31951 31967->31966 31968->31966 31970 4fba756 31969->31970 31977 4fba778 31969->31977 31984 4fba768 31969->31984 31970->31961 31975 4fba778 DrawTextExW 31973->31975 31976 4fba768 DrawTextExW 31973->31976 31974 4fba756 31974->31961 31975->31974 31976->31974 31978 4fba7a9 31977->31978 31979 4fba7d6 31978->31979 31991 4fba7e9 31978->31991 31996 4fba8a0 31978->31996 32003 4fba8fc 31978->32003 32011 4fba7f8 31978->32011 31979->31970 31985 4fba7a9 31984->31985 31986 4fba7d6 31985->31986 31987 4fba7e9 DrawTextExW 31985->31987 31988 4fba7f8 DrawTextExW 31985->31988 31989 4fba8fc DrawTextExW 31985->31989 31990 4fba8a0 DrawTextExW 31985->31990 31986->31970 31987->31986 31988->31986 31989->31986 31990->31986 31993 4fba7f8 31991->31993 31992 4fba82e 31992->31979 31993->31992 31994 4fb9080 DrawTextExW 31993->31994 31995 4fba899 31994->31995 31997 4fba89b 31996->31997 31998 4fba8c3 31997->31998 31999 4fba8a0 DrawTextExW 31997->31999 32000 4fba84c 31997->32000 31998->31979 31999->31996 32001 4fb9080 DrawTextExW 32000->32001 32002 4fba899 32001->32002 32004 4fba89b 32003->32004 32005 4fba90a 32003->32005 32006 4fba84c 32004->32006 32007 4fba8c3 32004->32007 32008 4fba8a0 DrawTextExW 32004->32008 32009 4fb9080 DrawTextExW 32006->32009 32007->31979 32008->32004 32010 4fba899 32009->32010 32013 4fba819 32011->32013 32012 4fba82e 32012->31979 32013->32012 32014 4fb9080 DrawTextExW 32013->32014 32015 4fba899 32014->32015 32016 ebaed0 32017 ebaedf 32016->32017 32019 ebb3c1 32016->32019 32020 ebb404 32019->32020 32021 ebb3e1 32019->32021 32020->32017 32021->32020 32022 ebb608 GetModuleHandleW 32021->32022 32023 ebb635 32022->32023 32023->32017 32024 74c41f0 32025 74c4216 32024->32025 32026 74c437b 32024->32026 32025->32026 32028 74c07f8 32025->32028 32029 74c4470 PostMessageW 32028->32029 32030 74c44dc 32029->32030 32030->32025

                                                                                                                  Executed Functions

                                                                                                                  Function 00EB7018 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1708144035.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_eb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Pp^q
                                                                                                                  • API String ID: 0-3179448734
                                                                                                                  • Opcode ID: 5164ac3be85aa30ac0143de052fa3bdbb45a542e92fcaf232c674273f26cbbd9
                                                                                                                  • Instruction ID: 5a65763a82c88f2b22fec6d2e45c27e92f2da5eab5b9ec8f80b9763d5e8304b7
                                                                                                                  • Opcode Fuzzy Hash: 5164ac3be85aa30ac0143de052fa3bdbb45a542e92fcaf232c674273f26cbbd9
                                                                                                                  • Instruction Fuzzy Hash: 17818374E002089FDB15DFA9D981ADEBBF6FF88300F209529E419AB365DB306946CF50
                                                                                                                  Function 00EB4204 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1708144035.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_eb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Pp^q
                                                                                                                  • API String ID: 0-3179448734
                                                                                                                  • Opcode ID: 158fe9a6fcc3e1310de26ab0562682853513c5bce85b10996e21e0419c5f8bf7
                                                                                                                  • Instruction ID: 62773041f5dbe5afce7c6f30ecbe4997ff41c3f0c68a37177e69bfdb09972b0b
                                                                                                                  • Opcode Fuzzy Hash: 158fe9a6fcc3e1310de26ab0562682853513c5bce85b10996e21e0419c5f8bf7
                                                                                                                  • Instruction Fuzzy Hash: 48816274E002089FDB54DFA9D984ADEBBF6FF88300F209529E419AB365DB319945CF50
                                                                                                                  Function 074C3288 Relevance: .2, Instructions: 189COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1715292294.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_74c0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fcd4afddb3766892d05770fff4ee3e1f4ff0d361980effc5de95d360695a13bb
                                                                                                                  • Instruction ID: a8141a8027e1daff5a6f2c421b01e30fdf0311ec74851d16632fe3a2fea4e570
                                                                                                                  • Opcode Fuzzy Hash: fcd4afddb3766892d05770fff4ee3e1f4ff0d361980effc5de95d360695a13bb
                                                                                                                  • Instruction Fuzzy Hash: AC8125B5D44229CBDB64CF66C8407E9BBB6AF8A300F10C1EAD40DAA250EB705A85CF41
                                                                                                                  Function 074C384C Relevance: .0, Instructions: 21COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1715292294.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_74c0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e0a3bb7a08a1a668f7af722083fa88b06e9ea4a748c72595f315a8f1351dbfc0
                                                                                                                  • Instruction ID: f14eb1a81d9cd560041ce70c474913dd1f8f301f3a782ff447f76ca0e8ce12f7
                                                                                                                  • Opcode Fuzzy Hash: e0a3bb7a08a1a668f7af722083fa88b06e9ea4a748c72595f315a8f1351dbfc0
                                                                                                                  • Instruction Fuzzy Hash: 09E0ECB886D254CFC781DF50DC555F9BBBC9B0B310F01A59ED009AB262DA308985CA16
                                                                                                                  Function 074C3B75 Relevance: .0, Instructions: 17COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1715292294.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_74c0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: eff49908ad8b6fc35a591ca9fa333090f6bbd1b752c970cae1459a817ed8bb3e
                                                                                                                  • Instruction ID: 1d70f34cda437576480ac86109dcc1a8c6e28b13752b38fddce3783982065b5a
                                                                                                                  • Opcode Fuzzy Hash: eff49908ad8b6fc35a591ca9fa333090f6bbd1b752c970cae1459a817ed8bb3e
                                                                                                                  • Instruction Fuzzy Hash: FBD0C7FCC6D114CFC7C1EE60DC952F5B67C971B305F04B89E9409A7201D9318881CB19
                                                                                                                  Function 00EBB3C1 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 546 ebb3c1-ebb3df 547 ebb40b-ebb40f 546->547 548 ebb3e1-ebb3ee call eb9f4c 546->548 549 ebb423-ebb464 547->549 550 ebb411-ebb41b 547->550 555 ebb3f0 548->555 556 ebb404 548->556 557 ebb471-ebb47f 549->557 558 ebb466-ebb46e 549->558 550->549 602 ebb3f6 call ebb659 555->602 603 ebb3f6 call ebb668 555->603 556->547 560 ebb4a3-ebb4a5 557->560 561 ebb481-ebb486 557->561 558->557 559 ebb3fc-ebb3fe 559->556 562 ebb540-ebb600 559->562 563 ebb4a8-ebb4af 560->563 564 ebb488-ebb48f call eb9f58 561->564 565 ebb491 561->565 597 ebb608-ebb633 GetModuleHandleW 562->597 598 ebb602-ebb605 562->598 567 ebb4bc-ebb4c3 563->567 568 ebb4b1-ebb4b9 563->568 566 ebb493-ebb4a1 564->566 565->566 566->563 570 ebb4d0-ebb4d9 call eb9f68 567->570 571 ebb4c5-ebb4cd 567->571 568->567 577 ebb4db-ebb4e3 570->577 578 ebb4e6-ebb4eb 570->578 571->570 577->578 579 ebb509-ebb516 578->579 580 ebb4ed-ebb4f4 578->580 586 ebb539-ebb53f 579->586 587 ebb518-ebb536 579->587 580->579 582 ebb4f6-ebb506 call eb9f78 call ebafbc 580->582 582->579 587->586 599 ebb63c-ebb650 597->599 600 ebb635-ebb63b 597->600 598->597 600->599 602->559 603->559
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00EBB626
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1708144035.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_eb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4139908857-0
                                                                                                                  • Opcode ID: 75d6d9f36afeb821e004cba1b2dfe50172036acbd5ccc0730f53f158ae8cc845
                                                                                                                  • Instruction ID: 264394c4c4d325afe7bed49ca6bb69b75475a668368e6a8aa55f825d9b466a3e
                                                                                                                  • Opcode Fuzzy Hash: 75d6d9f36afeb821e004cba1b2dfe50172036acbd5ccc0730f53f158ae8cc845
                                                                                                                  • Instruction Fuzzy Hash: 65814370A00B458FD724DF29D0417ABBBF2FF88304F008929E49AE7A51E7B4E945CB91
                                                                                                                  Function 00EB590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 604 eb590c-eb590e 605 eb5910-eb5912 604->605 606 eb5914-eb5916 604->606 605->606 607 eb5918-eb59d9 CreateActCtxA 605->607 606->607 609 eb59db-eb59e1 607->609 610 eb59e2-eb5a3c 607->610 609->610 617 eb5a4b-eb5a4f 610->617 618 eb5a3e-eb5a41 610->618 619 eb5a51-eb5a5d 617->619 620 eb5a60 617->620 618->617 619->620 622 eb5a61 620->622 622->622
                                                                                                                  APIs
                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00EB59C9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1708144035.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_eb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Create
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2289755597-0
                                                                                                                  • Opcode ID: a0aea8129305e949561a071f5914b6f147f270fef3c0915770fccc3a2ba80eb2
                                                                                                                  • Instruction ID: 5ada9d59e5647a7399f2f78f53e94598a2a0fc34a15f842c69e0ffc07e47511b
                                                                                                                  • Opcode Fuzzy Hash: a0aea8129305e949561a071f5914b6f147f270fef3c0915770fccc3a2ba80eb2
                                                                                                                  • Instruction Fuzzy Hash: 714113B1C00719DBDB24DFA9C884BCEBBB5BF89308F20816AD418BB251DB756945CF90
                                                                                                                  Function 00EB44F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 623 eb44f0-eb59d9 CreateActCtxA 626 eb59db-eb59e1 623->626 627 eb59e2-eb5a3c 623->627 626->627 634 eb5a4b-eb5a4f 627->634 635 eb5a3e-eb5a41 627->635 636 eb5a51-eb5a5d 634->636 637 eb5a60 634->637 635->634 636->637 639 eb5a61 637->639 639->639
                                                                                                                  APIs
                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00EB59C9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1708144035.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_eb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Create
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2289755597-0
                                                                                                                  • Opcode ID: 8c13eda0fed25115028593514f6e9de10e547477d05e0c950cb811b1046979ef
                                                                                                                  • Instruction ID: 728c6aa8b148b8a17c9bebd2b1539d68430196a597e29fa1b099322a6a94bf63
                                                                                                                  • Opcode Fuzzy Hash: 8c13eda0fed25115028593514f6e9de10e547477d05e0c950cb811b1046979ef
                                                                                                                  • Instruction Fuzzy Hash: F341F1B1C00719CBDB24DFA9C884BDEBBB5BF89304F20806AD408BB255DB75A945CF90
                                                                                                                  Function 04FBC04C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 640 4fbc04c-4fbd464 642 4fbd46f-4fbd47e 640->642 643 4fbd466-4fbd46c 640->643 644 4fbd483-4fbd4bc DrawTextExW 642->644 645 4fbd480 642->645 643->642 646 4fbd4be-4fbd4c4 644->646 647 4fbd4c5-4fbd4e2 644->647 645->644 646->647
                                                                                                                  APIs
                                                                                                                  • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04FBD3FD,?,?), ref: 04FBD4AF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1711608078.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_4fb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DrawText
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2175133113-0
                                                                                                                  • Opcode ID: 43ecd8f1fedadbdce19deec7a13061f5f7df90242539c3592ce06718b227a076
                                                                                                                  • Instruction ID: c10ae41ee15643842c76ea896221069de9500ad933c234def20e1122f5186e40
                                                                                                                  • Opcode Fuzzy Hash: 43ecd8f1fedadbdce19deec7a13061f5f7df90242539c3592ce06718b227a076
                                                                                                                  • Instruction Fuzzy Hash: C231EEB5D002099FDB10CF9AD884AEEFBF5EB48320F14842AE959A7210D774A945CFA1
                                                                                                                  Function 04FBD410 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 650 4fbd410-4fbd464 651 4fbd46f-4fbd47e 650->651 652 4fbd466-4fbd46c 650->652 653 4fbd483-4fbd4bc DrawTextExW 651->653 654 4fbd480 651->654 652->651 655 4fbd4be-4fbd4c4 653->655 656 4fbd4c5-4fbd4e2 653->656 654->653 655->656
                                                                                                                  APIs
                                                                                                                  • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04FBD3FD,?,?), ref: 04FBD4AF
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1711608078.0000000004FB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_4fb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DrawText
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2175133113-0
                                                                                                                  • Opcode ID: efcf8a106ffbd5c840f57ea6491d7318b2b81cc382f99e6c7f09b3bd1fd95fcc
                                                                                                                  • Instruction ID: 2427f26fd9ad7e6ab8193c52b4cdba2f7beaae3581e3035251e0c5e5e30bee76
                                                                                                                  • Opcode Fuzzy Hash: efcf8a106ffbd5c840f57ea6491d7318b2b81cc382f99e6c7f09b3bd1fd95fcc
                                                                                                                  • Instruction Fuzzy Hash: 7C31EEB5D002099FDB10CF9AD984AEEFBF5BB48320F14842AE959A7310D375A945CFA1
                                                                                                                  Function 00EBB3B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 659 ebb3b0-ebda5c DuplicateHandle 661 ebda5e-ebda64 659->661 662 ebda65-ebda82 659->662 661->662
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EBD586,?,?,?,?,?), ref: 00EBDA4F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1708144035.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_eb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: cd5a0e5152c733c2769103f466e87e566d9d260d9995a81aca3c31aef351c64b
                                                                                                                  • Instruction ID: 6a1b5e64533caedbe7c3b9dbbe00cefa1c94898da13bc1c3866eedc497d6eac2
                                                                                                                  • Opcode Fuzzy Hash: cd5a0e5152c733c2769103f466e87e566d9d260d9995a81aca3c31aef351c64b
                                                                                                                  • Instruction Fuzzy Hash: 1821D4B5904208AFDB10CF99D984AEEBFF5EB48314F14841AE918B7250D374A940CFA4
                                                                                                                  Function 00EBD9C1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 665 ebd9c1-ebd9c6 666 ebd9c8-ebda5c DuplicateHandle 665->666 667 ebda5e-ebda64 666->667 668 ebda65-ebda82 666->668 667->668
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EBD586,?,?,?,?,?), ref: 00EBDA4F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1708144035.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_eb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: dcb6682056b64e6ed3fb86cecbf5409405ffff71859bb7eeaaedc4fa3666272c
                                                                                                                  • Instruction ID: d66fc1f5baac6e81cb29d8710c2d59496f1e71d493850d9901656aeb2cbf73e0
                                                                                                                  • Opcode Fuzzy Hash: dcb6682056b64e6ed3fb86cecbf5409405ffff71859bb7eeaaedc4fa3666272c
                                                                                                                  • Instruction Fuzzy Hash: 2121E3B59002589FDB10CF9AD985AEEFFF4EB48314F14801AE918A3310D374A954CFA5
                                                                                                                  Function 074C07F8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 677 74c07f8-74c44da PostMessageW 679 74c44dc-74c44e2 677->679 680 74c44e3-74c44f7 677->680 679->680
                                                                                                                  APIs
                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 074C44CD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1715292294.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_74c0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePost
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 410705778-0
                                                                                                                  • Opcode ID: acbdd18789374d2878363effae27a4dbf5eece65011f79de790920aa90172eb1
                                                                                                                  • Instruction ID: 120e400cd72cf3d47da6affcd4459e815b4953e225dd0178fb5ca357e637947e
                                                                                                                  • Opcode Fuzzy Hash: acbdd18789374d2878363effae27a4dbf5eece65011f79de790920aa90172eb1
                                                                                                                  • Instruction Fuzzy Hash: 5F11F5B58003499FDB10DF99D545BDEFFF8EB48314F20881AE558A7200C375A944CFA5
                                                                                                                  Function 00EBB5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 671 ebb5c0-ebb600 672 ebb608-ebb633 GetModuleHandleW 671->672 673 ebb602-ebb605 671->673 674 ebb63c-ebb650 672->674 675 ebb635-ebb63b 672->675 673->672 675->674
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00EBB626
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1708144035.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_eb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4139908857-0
                                                                                                                  • Opcode ID: 737b9117c367e637b4151966f3dd4fe523fdc0ef0e23475c12f8a4d759bd48d5
                                                                                                                  • Instruction ID: fe4b3297bd0005e3d68bf7fda51cd8e95d8442c76172f250442d9e16df822d03
                                                                                                                  • Opcode Fuzzy Hash: 737b9117c367e637b4151966f3dd4fe523fdc0ef0e23475c12f8a4d759bd48d5
                                                                                                                  • Instruction Fuzzy Hash: 4A110FB5C003498FDB10DF9AC844ADEFBF4AB88324F10842AD418B7210C3B5A945CFA5
                                                                                                                  Function 074C4469 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 074C44CD
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1715292294.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_74c0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePost
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 410705778-0
                                                                                                                  • Opcode ID: 32ad83ef541602cf78af71eb076a136beaa560d0eb03b5ff992914e66bb8feef
                                                                                                                  • Instruction ID: a2c61ad7861dc18a3f06aec6de211d9f0d2e9f1b25e90fa31bfa8bcf0d3142ed
                                                                                                                  • Opcode Fuzzy Hash: 32ad83ef541602cf78af71eb076a136beaa560d0eb03b5ff992914e66bb8feef
                                                                                                                  • Instruction Fuzzy Hash: 2411F2B98002599FDB10DF99C548BDEFFF4EB48314F24841AE558A7310C374A644CFA4
                                                                                                                  Function 00C1D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1702284543.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_c1d000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0d3103d136bbafbf74e7c970b533f2f9dfb7620fa4b66dcd0671dd854d07f4e6
                                                                                                                  • Instruction ID: 369bbfef46d98731bc576a44d0ef162b7f3990b46f4458bafc00bfb04384728c
                                                                                                                  • Opcode Fuzzy Hash: 0d3103d136bbafbf74e7c970b533f2f9dfb7620fa4b66dcd0671dd854d07f4e6
                                                                                                                  • Instruction Fuzzy Hash: D62137B1500240DFCB05DF14D9C0B67BF66FB99318F20C569E80A0B256C336D996EBB2
                                                                                                                  Function 00C1D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1702284543.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_c1d000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5a34f369274b08296f5e3acbaf823b9170e0504e73e75a2fc90330c3c9e9567a
                                                                                                                  • Instruction ID: 350def7224421c19b6e7454dc20321a81218acf99e23442d4d599367bfa65c3c
                                                                                                                  • Opcode Fuzzy Hash: 5a34f369274b08296f5e3acbaf823b9170e0504e73e75a2fc90330c3c9e9567a
                                                                                                                  • Instruction Fuzzy Hash: 3C213771500204DFDB05DF14D9C0B67BF65FB99324F20C569E90B4B256C33AE896EBA2
                                                                                                                  Function 00C2D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1702360820.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_c2d000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 46a03369d9443ec8be774f5c4b0546da155d1c362072930f4419e8d689ab3d31
                                                                                                                  • Instruction ID: d776403412aa3bf6cdbf30d0034e27b36ea327f36a9bc4dd75c55cac7735b477
                                                                                                                  • Opcode Fuzzy Hash: 46a03369d9443ec8be774f5c4b0546da155d1c362072930f4419e8d689ab3d31
                                                                                                                  • Instruction Fuzzy Hash: C7212671504200EFDB05DF14E9C4B26BBA5FBA4314F30C6ADE80A4B696C736DC46CA61
                                                                                                                  Function 00C2D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1702360820.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_c2d000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a64ba122855dc905ff3766113eeb746abbc6cb599373478db00106231b2e3d3d
                                                                                                                  • Instruction ID: bfbf37e739df3bf6fd92bc7939412c357f6cbb521e95f4c53d2518e94d4880c5
                                                                                                                  • Opcode Fuzzy Hash: a64ba122855dc905ff3766113eeb746abbc6cb599373478db00106231b2e3d3d
                                                                                                                  • Instruction Fuzzy Hash: F1210475604340DFCB14DF14E9C4B26BFA5FBA4314F20C56DE94A4B6A6C33AD847CA61
                                                                                                                  Function 00C2D005 Relevance: .1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1702360820.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_c2d000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 681d862e5f6a7238d7164e83e82103321cf3d3ed21cbada4e01b9e2955c893b4
                                                                                                                  • Instruction ID: 869b896d2e9d7e51b443c79ddc5c493e896aea05045b8da22358b0785fa44989
                                                                                                                  • Opcode Fuzzy Hash: 681d862e5f6a7238d7164e83e82103321cf3d3ed21cbada4e01b9e2955c893b4
                                                                                                                  • Instruction Fuzzy Hash: 10218E755093808FCB12CF24D994715BF71EB56314F28C5EAD8498F6A7C33A980ACB62
                                                                                                                  Function 00C1D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1702284543.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_c1d000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction ID: 8f18f8e8cd3284b55f4f7bb72c4edd17179fbc3f3ef602ac2092593e25ab68b7
                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction Fuzzy Hash: 11112672404240CFCB16CF00D5C4B56BF71FB94324F24C6A9DC0A0B256C33AE99ADBA1
                                                                                                                  Function 00C1D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1702284543.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_c1d000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction ID: d9b5052920e4393c64d6d8f920ad9d2e18fb67167e53715be6598262965ffd75
                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction Fuzzy Hash: EA1103B2404280CFCB06CF10D5C4B56BF72FB94318F24C6A9D80A0B256C336D99ADBA1
                                                                                                                  Function 00C2D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1702360820.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_c2d000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                  • Instruction ID: d28ce6e36912f8e1a4b77c392d77eafa9370a906b8517ebcfe355023d1fd74b2
                                                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                  • Instruction Fuzzy Hash: 8A11BB75504280DFDB02CF10D5C4B15BBA1FB94314F24C6AAD84A4B696C33AD84ACB61

                                                                                                                  Non-executed Functions

                                                                                                                  Function 074C64F0 Relevance: .4, Instructions: 383COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1715292294.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_74c0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 89181fd3971aa17bc4746b4651b723d2625da3f767edc66382b3d4270f780d8f
                                                                                                                  • Instruction ID: d073f377b5337770d2f7af62173cedd432aed35b9920c58841738ca8f7930317
                                                                                                                  • Opcode Fuzzy Hash: 89181fd3971aa17bc4746b4651b723d2625da3f767edc66382b3d4270f780d8f
                                                                                                                  • Instruction Fuzzy Hash: F0D1DAB4B016059FEB55EB76C4107AFB7F6AF89300F1684AED045AB391DB35E801CB52
                                                                                                                  Function 00EBD8EC Relevance: .3, Instructions: 264COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1708144035.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_eb0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a7465dd678dd066f9f1472f0b9f9687c1b6a39e748c5f38bc9953682d68ae087
                                                                                                                  • Instruction ID: 4f0e0070b38ebe2e0a01a78b698f7f8ca46326bba35d39748ac5910552d66c19
                                                                                                                  • Opcode Fuzzy Hash: a7465dd678dd066f9f1472f0b9f9687c1b6a39e748c5f38bc9953682d68ae087
                                                                                                                  • Instruction Fuzzy Hash: 5FA14B32E002198FCF09DFA4C8505EEB7B2FF85304B25957AE905BB265EB71E955CB40
                                                                                                                  Function 074C3278 Relevance: .1, Instructions: 77COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000000.00000002.1715292294.00000000074C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074C0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_0_2_74c0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: bf55d9398bdb17a60ed44bc12f1d55dbe162144a9520e5ac27a82e414e7ce142
                                                                                                                  • Instruction ID: 4304702ca5481d5a4448e9f85777bc51ba014ad5f18b1f697135d75f7652e973
                                                                                                                  • Opcode Fuzzy Hash: bf55d9398bdb17a60ed44bc12f1d55dbe162144a9520e5ac27a82e414e7ce142
                                                                                                                  • Instruction Fuzzy Hash: C321FDB5D056288BEB68CF679C043DDFAF7AFC9301F04D1BAC40CA6215DB340A868E51

                                                                                                                  Executed Functions

                                                                                                                  Function 054ABC60 Relevance: 12.1, Strings: 9, Instructions: 885COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                                                                                  • API String ID: 0-2735749406
                                                                                                                  • Opcode ID: b07c9dcfd20555aef90e2290bd6455016018562b3007649d2b8090b8d281d68e
                                                                                                                  • Instruction ID: 72aa2ab496b9a3f412168a66fe06756f015022d096f17ae75daf4e08f00358ec
                                                                                                                  • Opcode Fuzzy Hash: b07c9dcfd20555aef90e2290bd6455016018562b3007649d2b8090b8d281d68e
                                                                                                                  • Instruction Fuzzy Hash: D8823A36A04209DFCB95CF68C984AAEBBF2BF58304F158596F516AB361D730ED81CB50
                                                                                                                  Function 054AAF00 Relevance: 9.6, Strings: 7, Instructions: 896COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (o^q$(o^q$(o^q$(o^q$,bq$,bq$Hbq
                                                                                                                  • API String ID: 0-1608600535
                                                                                                                  • Opcode ID: 92ba4b01844912a95d643fb8b015f7d5b944d015afe501d659c97a5515ddacf0
                                                                                                                  • Instruction ID: fc37967056011d01fe54eaacf1f13591ee7277c6033a01d5e6d08a69262f32dd
                                                                                                                  • Opcode Fuzzy Hash: 92ba4b01844912a95d643fb8b015f7d5b944d015afe501d659c97a5515ddacf0
                                                                                                                  • Instruction Fuzzy Hash: 7B726F71A002199FCB54DF69C894AEEBBB6FF98300F14856AE805AB3A5DB30DD45CB50
                                                                                                                  Function 00DFC530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: N
                                                                                                                  • API String ID: 0-1130791706
                                                                                                                  • Opcode ID: 1802873f2da1ef985b2db988a9c81f026dbd9a201f7b9432b2f1bd0230b62fee
                                                                                                                  • Instruction ID: b812b41b88d264eb534ad38b374a1aa2bec943dba03ec38c66805cf29e72a2fc
                                                                                                                  • Opcode Fuzzy Hash: 1802873f2da1ef985b2db988a9c81f026dbd9a201f7b9432b2f1bd0230b62fee
                                                                                                                  • Instruction Fuzzy Hash: 3F73E731D1075A8ECB11EF68C854AADFBB1FF99300F15D69AE44867221EB70AAC4CF51
                                                                                                                  Function 00DF27B9 Relevance: 3.2, Strings: 2, Instructions: 695COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Xbq$Xbq
                                                                                                                  • API String ID: 0-1243427068
                                                                                                                  • Opcode ID: fc362677ddd867fe7396ccefd9e84f09a157130fb47b2a333daa2009d40cedb4
                                                                                                                  • Instruction ID: bea0f7fbb6698fe71d85578b9695765bfe0ac27897d2fd0f67f87d5e5d9aa450
                                                                                                                  • Opcode Fuzzy Hash: fc362677ddd867fe7396ccefd9e84f09a157130fb47b2a333daa2009d40cedb4
                                                                                                                  • Instruction Fuzzy Hash: B722261279C294CED7250F2688B46E27BB2EF2B30138980CBDCC54B479E7645ACBD725
                                                                                                                  Function 00DF2DD1 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Xbq$$^q
                                                                                                                  • API String ID: 0-1593437937
                                                                                                                  • Opcode ID: 3b1330567de7aae050e135c53f76820ad7bf9145e97b3e76a82b767af73ed1d2
                                                                                                                  • Instruction ID: ebd8bdedfb8363e20e481b5e7b6436cdcf6f1ef39dda345a0a4dbc795941e23e
                                                                                                                  • Opcode Fuzzy Hash: 3b1330567de7aae050e135c53f76820ad7bf9145e97b3e76a82b767af73ed1d2
                                                                                                                  • Instruction Fuzzy Hash: 57917070B04358DBDB18EF78885827EBBA6BFC8740B16C52AD546E7394DE34C902D7A1
                                                                                                                  Function 054A6138 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: PH^q$PH^q
                                                                                                                  • API String ID: 0-1598597984
                                                                                                                  • Opcode ID: e43f09b2ea2848af4f0a70c15f02915294a5e8f300c606ce1949d377c1d86587
                                                                                                                  • Instruction ID: 9eae7a18152c83a085fb85999ad3385e74d633e8ba5b91d04c49f45a1271df96
                                                                                                                  • Opcode Fuzzy Hash: e43f09b2ea2848af4f0a70c15f02915294a5e8f300c606ce1949d377c1d86587
                                                                                                                  • Instruction Fuzzy Hash: E181CE75E00218CFDB58DFAAD9946DEBBF2BF89300F24806AD419AB354DB345946CF50
                                                                                                                  Function 054A89E0 Relevance: .7, Instructions: 745COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1000ee5cd124898ff90ad434b4d89d7b877562a96ce9277cbd3c532e125515cd
                                                                                                                  • Instruction ID: 5f3bce593ab99add03319d6a9097caf498741acd59b6b564cdacb982b150b205
                                                                                                                  • Opcode Fuzzy Hash: 1000ee5cd124898ff90ad434b4d89d7b877562a96ce9277cbd3c532e125515cd
                                                                                                                  • Instruction Fuzzy Hash: 47826E74E012288FDB64DF69D998BDDBBB2BF89300F1081EA940DA7265DB315E85CF50
                                                                                                                  Function 00DF9480 Relevance: .3, Instructions: 268COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5b07a8b055b7d27ddb82a3b4921693bdb827306ec9086f53ee40a9e7a2de8f8d
                                                                                                                  • Instruction ID: 076d693e824e99b36491e54046dbb50631cd7cf8b64ce13d78e015abc61af879
                                                                                                                  • Opcode Fuzzy Hash: 5b07a8b055b7d27ddb82a3b4921693bdb827306ec9086f53ee40a9e7a2de8f8d
                                                                                                                  • Instruction Fuzzy Hash: A1C19274E01218CFDB18DFA5D954BADBBB2FB89300F2085A9D809A7365DB359A85CF10
                                                                                                                  Function 00DFC521 Relevance: .2, Instructions: 225COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 124c15c8735e995ea4775cdba235734e382a0ff96af7c3127ecd1dfdb221f903
                                                                                                                  • Instruction ID: cde45cce24739fdb3239c92ece28d879a5b6391e6a7b8f8dfbf9d18a4ba5c8a3
                                                                                                                  • Opcode Fuzzy Hash: 124c15c8735e995ea4775cdba235734e382a0ff96af7c3127ecd1dfdb221f903
                                                                                                                  • Instruction Fuzzy Hash: 1EA13571D106198EDB14DFA9C8847EDFBB1FF89300F15D2AAE408A7261EB709A85CF51
                                                                                                                  Function 00DF9A30 Relevance: .2, Instructions: 222COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0a3ce7ef4c774f945fb53d7c3ba2b5acf5a0494c02dbad8d690bed6dd83fa1e4
                                                                                                                  • Instruction ID: 3aaa193c2bb4363dbd63bdc56784f3768e961a284d4ba28a43fca1f923ed5e85
                                                                                                                  • Opcode Fuzzy Hash: 0a3ce7ef4c774f945fb53d7c3ba2b5acf5a0494c02dbad8d690bed6dd83fa1e4
                                                                                                                  • Instruction Fuzzy Hash: 93A10570D00208CFDB14DFA9D998BEDBBB1FF88304F249269E508A72A1DB749985CF50
                                                                                                                  Function 00DF9A40 Relevance: .2, Instructions: 220COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6bf3e61b32915b8d3694889288ca216ab511735ac8bb3fde713280195b7c0231
                                                                                                                  • Instruction ID: 69f43ebc1eabce882d4f3381b4c94f54f10d1c675d70440a82073f9a1f2757d4
                                                                                                                  • Opcode Fuzzy Hash: 6bf3e61b32915b8d3694889288ca216ab511735ac8bb3fde713280195b7c0231
                                                                                                                  • Instruction Fuzzy Hash: 4AA11570D00208CFDB14DFA9D998BEDBBB1FF88310F249269E508A72A1DB745985CF50
                                                                                                                  Function 00DF9D87 Relevance: .2, Instructions: 202COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0a5802f471f693c22115bcd86cb8e2930d62194c43d53bc06c1feb16aa74da20
                                                                                                                  • Instruction ID: 381c30572d743600f29f46d1c7a2f7dd7f1f9e5d90d33f65dc4de0b6a299eca9
                                                                                                                  • Opcode Fuzzy Hash: 0a5802f471f693c22115bcd86cb8e2930d62194c43d53bc06c1feb16aa74da20
                                                                                                                  • Instruction Fuzzy Hash: F891E270D00608CFDB14DFA8D998BECBBB1FF49310F249269E509AB291DB749985CF25
                                                                                                                  Function 054A89D0 Relevance: .2, Instructions: 174COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5aadcb83ef7db1fe1a731cd4f5b4496f0be87918bd9be236a499f7d2b3c794d5
                                                                                                                  • Instruction ID: 11ef3ac600294e65964ec7f9382233e05566965524753f7b521d7a633bbd9fb7
                                                                                                                  • Opcode Fuzzy Hash: 5aadcb83ef7db1fe1a731cd4f5b4496f0be87918bd9be236a499f7d2b3c794d5
                                                                                                                  • Instruction Fuzzy Hash: 6081A274E412289FDB64DF29D995BEDBBB2BF89300F1080EAD809A7254DB715E81CF40
                                                                                                                  Function 00DF946F Relevance: .1, Instructions: 101COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 315f3b4d0c8fc13d287c021d50c10cdf6eb4039c6e8fe04eaf97eefcb636da2a
                                                                                                                  • Instruction ID: 6596a2fabfbf616a86b0eeea70f4ec204dde0126b238895f0b6ee77b0add1867
                                                                                                                  • Opcode Fuzzy Hash: 315f3b4d0c8fc13d287c021d50c10cdf6eb4039c6e8fe04eaf97eefcb636da2a
                                                                                                                  • Instruction Fuzzy Hash: 2D41F274D01248CBDB18CFAAD4546EDFBF2AF89304F24D12AD819AB355DB354946CF50
                                                                                                                  Function 00DF0B20 Relevance: 7.7, Strings: 6, Instructions: 205COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: LR^q$\v$\v$\v$\v$\v
                                                                                                                  • API String ID: 0-931508885
                                                                                                                  • Opcode ID: 732ae60ee0671e8bcebdd23b3159dd4a22bd95a3fd995af549b78ff742c5d86c
                                                                                                                  • Instruction ID: de8f0a87b8f38a5269445f1bca0eaabe229fcdecebcd9e71de82211cf4bfa17f
                                                                                                                  • Opcode Fuzzy Hash: 732ae60ee0671e8bcebdd23b3159dd4a22bd95a3fd995af549b78ff742c5d86c
                                                                                                                  • Instruction Fuzzy Hash: 8BA13E74A01609CFCF05EFA8E994A9DBBB1FF88304B108669D405AB379DB70AD55CF81
                                                                                                                  Function 00DF0B30 Relevance: 7.7, Strings: 6, Instructions: 200COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: LR^q$\v$\v$\v$\v$\v
                                                                                                                  • API String ID: 0-931508885
                                                                                                                  • Opcode ID: d20cc6e166cd9cea34064d296a9dd065ec8ee7c9ad4c988fc92934c899300581
                                                                                                                  • Instruction ID: 2a5018763ffd11245e2bc06dc989b99669f9b9a5deaab330a4240c97e5f807e5
                                                                                                                  • Opcode Fuzzy Hash: d20cc6e166cd9cea34064d296a9dd065ec8ee7c9ad4c988fc92934c899300581
                                                                                                                  • Instruction Fuzzy Hash: 45A12F74A01609CFCF04EFA8E995A9DBBB1FF88304B108669E405AB379DB706D55CF90
                                                                                                                  Function 00DFB500 Relevance: 6.6, Strings: 5, Instructions: 386COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 8cq$Hbq$Hbq$Hbq$TJcq
                                                                                                                  • API String ID: 0-1895975235
                                                                                                                  • Opcode ID: dd3e38cb8e7912480a96e66081e6d79109d5bea9b27ad996424c353745b61e6b
                                                                                                                  • Instruction ID: 9d2d0527aa9f69b244305191ff478873ef0eb586a441b9a08c2ac8a9dff038dd
                                                                                                                  • Opcode Fuzzy Hash: dd3e38cb8e7912480a96e66081e6d79109d5bea9b27ad996424c353745b61e6b
                                                                                                                  • Instruction Fuzzy Hash: 87D1E931B041088FCB14DF68C495ABD7BB6EF89320F298166E645EB3A1CB35DD41CB61
                                                                                                                  Function 00DF3F87 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                  • API String ID: 0-1487592376
                                                                                                                  • Opcode ID: 6dd467376fe5e0f61e57bec272b65ea8e69d9aaac963ec4117745580be2dedfa
                                                                                                                  • Instruction ID: 598c890ca309d24eb85d37f8c43a289638ebeaf638294dabb0fb2af5a29da384
                                                                                                                  • Opcode Fuzzy Hash: 6dd467376fe5e0f61e57bec272b65ea8e69d9aaac963ec4117745580be2dedfa
                                                                                                                  • Instruction Fuzzy Hash: D651C374E00208DFDB48DFAAD584AAEBBF2BF89310F15C569E915AB364DB349841CF50
                                                                                                                  Function 00DFAD3D Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $Hbq$Hbq$Hbq
                                                                                                                  • API String ID: 0-580995494
                                                                                                                  • Opcode ID: 66ef8707323d32b1c866f204b07a9325fec9c63f00fc82949f51ea620f0d0702
                                                                                                                  • Instruction ID: 54f5161962ba5758e387191b7f42e903ee8dfd60b0fae2993762ac581b8d09b4
                                                                                                                  • Opcode Fuzzy Hash: 66ef8707323d32b1c866f204b07a9325fec9c63f00fc82949f51ea620f0d0702
                                                                                                                  • Instruction Fuzzy Hash: 4261B330B002489FDB196F78D85927E7AA3EFC5360F25852AE6169B3D1DF348D02C765
                                                                                                                  Function 00DF19B8 Relevance: 5.3, Strings: 4, Instructions: 317COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                  • API String ID: 0-2732225958
                                                                                                                  • Opcode ID: 37d281ba39e9d6f7b3a7abca5423b922540bfa2bbfaff9b6bb1ce4635998a70b
                                                                                                                  • Instruction ID: 2a9b42d7e62e4979b25adcafed8d0b0cb58439c7de8fdb51efff6d13ef182ad5
                                                                                                                  • Opcode Fuzzy Hash: 37d281ba39e9d6f7b3a7abca5423b922540bfa2bbfaff9b6bb1ce4635998a70b
                                                                                                                  • Instruction Fuzzy Hash: D2B16131B4821DCECB258F6988A07FAB772EF5A300F95C496D984AB168E7304EC7C755
                                                                                                                  Function 00DFAF78 Relevance: 5.2, Strings: 4, Instructions: 224COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $Hbq$Hbq$Hbq
                                                                                                                  • API String ID: 0-580995494
                                                                                                                  • Opcode ID: 83abfae86042321a8309d69b3016caa258115d55cc67580c78e3da76ff6bacbf
                                                                                                                  • Instruction ID: 5585fd3096367b4b67bb0ca3b3957c74b78758371cbcac0c64b577c6d6e00423
                                                                                                                  • Opcode Fuzzy Hash: 83abfae86042321a8309d69b3016caa258115d55cc67580c78e3da76ff6bacbf
                                                                                                                  • Instruction Fuzzy Hash: DA71A4307002489BDF196F78D85927E7A93EFC5370F25822AEA269B3D0CF358D418765
                                                                                                                  Function 054ACD28 Relevance: 3.3, Strings: 2, Instructions: 805COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: $^q$$^q
                                                                                                                  • API String ID: 0-355816377
                                                                                                                  • Opcode ID: 213265292be2842e75dbd2f5ed62ee54814dd4b7d5f683df3597183474220151
                                                                                                                  • Instruction ID: 5266f568ef9886e7db3490abd527bc32c37423a31ae7a3136e128eda24cfc68d
                                                                                                                  • Opcode Fuzzy Hash: 213265292be2842e75dbd2f5ed62ee54814dd4b7d5f683df3597183474220151
                                                                                                                  • Instruction Fuzzy Hash: 9B626074A00218DFEB54DBA4C864B9EBBB6FF84300F1081A9D10A6B3A5DF359E85DF51
                                                                                                                  Function 054AA620 Relevance: 2.8, Strings: 2, Instructions: 347COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Hbq$Hbq
                                                                                                                  • API String ID: 0-4258043069
                                                                                                                  • Opcode ID: b23851088df929fe5e2e23d240d35e31ef200b00d4affb101dd4662696a8adce
                                                                                                                  • Instruction ID: 83e7c0d5f4a8baa10c07ae0ad4340a5dbaa0b30f16b73b6d6a5f163c617151dd
                                                                                                                  • Opcode Fuzzy Hash: b23851088df929fe5e2e23d240d35e31ef200b00d4affb101dd4662696a8adce
                                                                                                                  • Instruction Fuzzy Hash: 7BC1DF363042519FCB559F26D858AAF7BB7BF88300F18846AE9468B395DF34CC42CB91
                                                                                                                  Function 054AAAE0 Relevance: 2.7, Strings: 2, Instructions: 235COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: ,bq$,bq
                                                                                                                  • API String ID: 0-2699258169
                                                                                                                  • Opcode ID: 7402385f6c723d69c75d53210415545891f57c3ee9e3d4dc8ab167cf2d7432dc
                                                                                                                  • Instruction ID: 2b7096dd7dc11ebeb9a9736974db1bc4fd9ccec2dfd3ba3b95c2e6d7cb0645d7
                                                                                                                  • Opcode Fuzzy Hash: 7402385f6c723d69c75d53210415545891f57c3ee9e3d4dc8ab167cf2d7432dc
                                                                                                                  • Instruction Fuzzy Hash: 1291B436B041058FDB94DF6AC4889EAB7B3FF99201B1881AAD406DB365D731EC41CB91
                                                                                                                  Function 054A69E8 Relevance: 2.7, Strings: 2, Instructions: 210COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (&^q$(bq
                                                                                                                  • API String ID: 0-1294341849
                                                                                                                  • Opcode ID: b19aa393aaf1206a1dca6609ae5a470d61dfcc93c4728d999aaf3c2dc621dab2
                                                                                                                  • Instruction ID: 4347f3c348775c24df37e6f6f74206f3918b52f19a8864685b4786f6f8a68221
                                                                                                                  • Opcode Fuzzy Hash: b19aa393aaf1206a1dca6609ae5a470d61dfcc93c4728d999aaf3c2dc621dab2
                                                                                                                  • Instruction Fuzzy Hash: 2571A432F002599BCB15EFB9C8546EEBBB6AFD4740F14856AE406A7380DF309D02CB95
                                                                                                                  Function 00DFB869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 8cq$TJcq
                                                                                                                  • API String ID: 0-1920894394
                                                                                                                  • Opcode ID: 8d6a5226792feedc465c73a1c5db23e59ffda36211ed6abd5fdec834166ae452
                                                                                                                  • Instruction ID: 969a4b04c72092f06c10c9d0309fc5882cf2f5713a20fac72457eee78e61f0c9
                                                                                                                  • Opcode Fuzzy Hash: 8d6a5226792feedc465c73a1c5db23e59ffda36211ed6abd5fdec834166ae452
                                                                                                                  • Instruction Fuzzy Hash: B8311A35B401098FCB04DFA8C585EADBBB2EF88320F195595E605AB365CB70ED858BA1
                                                                                                                  Function 00DFB89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 8cq$TJcq
                                                                                                                  • API String ID: 0-1920894394
                                                                                                                  • Opcode ID: 06187086fd8d0086c07b2744d97792571f41bf9faaf26a7052e4ade5c7d544c0
                                                                                                                  • Instruction ID: 7f454b02f0b7d6a99de38a651dd49e911cae58db8e5061a8eb526999d2332b3d
                                                                                                                  • Opcode Fuzzy Hash: 06187086fd8d0086c07b2744d97792571f41bf9faaf26a7052e4ade5c7d544c0
                                                                                                                  • Instruction Fuzzy Hash: 77311B35B401098FCB44DFA8C584EADBBB2EF88320F195455E605AB365CB71ED858BA1
                                                                                                                  Function 00DFBC28 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Hbq
                                                                                                                  • API String ID: 0-1245868
                                                                                                                  • Opcode ID: bfa54e7d38c57cfe08cc18213355f60f633d4f68be4980981ee726308599c729
                                                                                                                  • Instruction ID: bca0b3db97fb0ce9e0febad765cc15a1ee442f9d721c1d4c5da9f4804810822a
                                                                                                                  • Opcode Fuzzy Hash: bfa54e7d38c57cfe08cc18213355f60f633d4f68be4980981ee726308599c729
                                                                                                                  • Instruction Fuzzy Hash: 6841E731B042489FCB05AB78D8555BE7FF6EF85310B1980BAE609DB392DE358D06C761
                                                                                                                  Function 054AC7E8 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q
                                                                                                                  • API String ID: 0-1614139903
                                                                                                                  • Opcode ID: dfa3dd5dccf8ae01a7e3c495265e91e2e483755fd9e9e465dbcf37c2a5f4b53c
                                                                                                                  • Instruction ID: a96f7e747400f3190ae077e638a027b5a7f9e3026188759d43076e153021fbc7
                                                                                                                  • Opcode Fuzzy Hash: dfa3dd5dccf8ae01a7e3c495265e91e2e483755fd9e9e465dbcf37c2a5f4b53c
                                                                                                                  • Instruction Fuzzy Hash: A9413576604205DFCB94DF69D888AAA7BB6BF58311F0000AAF906CB3A1CB31DD51CB91
                                                                                                                  Function 00DFBDE8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Hbq
                                                                                                                  • API String ID: 0-1245868
                                                                                                                  • Opcode ID: 32c9c1addd8fd802f3382be8f624ad10e5e9870cf084a4089efa71f3b99cb15d
                                                                                                                  • Instruction ID: 6b7376604673118c8e73a07d7caef0643bd0965d3dae2f62be28ff651842581c
                                                                                                                  • Opcode Fuzzy Hash: 32c9c1addd8fd802f3382be8f624ad10e5e9870cf084a4089efa71f3b99cb15d
                                                                                                                  • Instruction Fuzzy Hash: 2431B1307001089FC708EF69C895ABE7BB6FF88310F29806AE6458B3A1CF319D41CB90
                                                                                                                  Function 054ACB20 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 4'^q
                                                                                                                  • API String ID: 0-1614139903
                                                                                                                  • Opcode ID: e0deb56b99ac6567e54c729a8d3afe0747acc01536b398803a123416b90557b9
                                                                                                                  • Instruction ID: 206bd4c07c880736a90a54f6962a6baa7135f49a285535b52aa395467505412e
                                                                                                                  • Opcode Fuzzy Hash: e0deb56b99ac6567e54c729a8d3afe0747acc01536b398803a123416b90557b9
                                                                                                                  • Instruction Fuzzy Hash: 2C21853270C2599FCB94DE65A8C86EB7BE7BB99210B044477F812CB355DB72DC418790
                                                                                                                  Function 054ADA68 Relevance: .4, Instructions: 408COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 248bab1319bce4833155891d193ce65b6b4f00ac2932e762d5b1d7eb32493227
                                                                                                                  • Instruction ID: 8a20d16876e84dafeaee7f832da92dce68aa767cf750473e8a992ac4360a9e02
                                                                                                                  • Opcode Fuzzy Hash: 248bab1319bce4833155891d193ce65b6b4f00ac2932e762d5b1d7eb32493227
                                                                                                                  • Instruction Fuzzy Hash: 24F12C72E00615DFCB54CF69D988DAEBBF2BF98310B15809AE515AB762C731EC41CB50
                                                                                                                  Function 00DFBF80 Relevance: .2, Instructions: 225COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3367c1e250a4e36c3b3437afe2d95e48e0eb9ae56740f57d7a6b5c13cf34d655
                                                                                                                  • Instruction ID: 520fe01d71fb06db3b40a0b07c549ecae12f1f1c688348bc75ed30dedfc78a3d
                                                                                                                  • Opcode Fuzzy Hash: 3367c1e250a4e36c3b3437afe2d95e48e0eb9ae56740f57d7a6b5c13cf34d655
                                                                                                                  • Instruction Fuzzy Hash: 1161E476B1060D9FC7248E7DD9409BABBE5EFC8324B15D52AE619D7340DA31DC1287B0
                                                                                                                  Function 054AC9D9 Relevance: .2, Instructions: 186COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1aaba466fe00b4e8f6b918548dced171c890319f2ab1b7416dd6d530172dbd0c
                                                                                                                  • Instruction ID: 4ae39c9ea7b8efbd79960f2aad264888623ab26ada6575669b584f1e2c23d3af
                                                                                                                  • Opcode Fuzzy Hash: 1aaba466fe00b4e8f6b918548dced171c890319f2ab1b7416dd6d530172dbd0c
                                                                                                                  • Instruction Fuzzy Hash: 94516A323181559FCB94DF39D8C8ABB7BEABF9964030544ABF416DB365EA21DC018B90
                                                                                                                  Function 054A69D8 Relevance: .1, Instructions: 120COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 67a69366b5859edd95f400660df0df1636f9ef4dbf9923ccde108e3ea56d21d1
                                                                                                                  • Instruction ID: 0ffa254eceff82eee28afd6e3f3f21d5d1f22834061338ddbc91cf3fcfb6a366
                                                                                                                  • Opcode Fuzzy Hash: 67a69366b5859edd95f400660df0df1636f9ef4dbf9923ccde108e3ea56d21d1
                                                                                                                  • Instruction Fuzzy Hash: 43417532E102199BDB14DFA5C884ADEBBF5FF98700F19812AE405B7340DB70AD46CB90
                                                                                                                  Function 00DF3168 Relevance: .1, Instructions: 109COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8869fbc33cb2980f747f75280e26ba3909f002a5b7053e4cb36621c0377b740f
                                                                                                                  • Instruction ID: 64f7eb52bcbe0e4ec0bca50847cab337d4595e5d023a3e5f3001dccd31cdd681
                                                                                                                  • Opcode Fuzzy Hash: 8869fbc33cb2980f747f75280e26ba3909f002a5b7053e4cb36621c0377b740f
                                                                                                                  • Instruction Fuzzy Hash: D7419274E01208DFCB08DFAAD8849ADBBB2BF89310F25D569E405BB364DB349945CF64
                                                                                                                  Function 00DF9249 Relevance: .1, Instructions: 107COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 026924b706f4df71cb3fc05bc9d733d05b3c600a3bbe886fa72c496f2f59097a
                                                                                                                  • Instruction ID: 1e974ae804ceddc4158b0db3ace80b7bae953ee0ccd6552d80dd3770d2c8b33d
                                                                                                                  • Opcode Fuzzy Hash: 026924b706f4df71cb3fc05bc9d733d05b3c600a3bbe886fa72c496f2f59097a
                                                                                                                  • Instruction Fuzzy Hash: 4B31A17047260B8FD2493B21A9AE2BE7FA2FB4F313745AC48F56A91526DF7444488A14
                                                                                                                  Function 054A9D48 Relevance: .1, Instructions: 101COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5171d0e2b6d13b01a8aa712dec5e7f888741a17978c7fa390f0dc43e7be44f80
                                                                                                                  • Instruction ID: dd002cadfcdee52623f30a97fce9704e14faf98b07383e9a0b3550a4074fdb57
                                                                                                                  • Opcode Fuzzy Hash: 5171d0e2b6d13b01a8aa712dec5e7f888741a17978c7fa390f0dc43e7be44f80
                                                                                                                  • Instruction Fuzzy Hash: 5131903130114AAFCF419F64D858ABF7BB2FB98300F004066FA1697395DB35C9A1DBA1
                                                                                                                  Function 054ACC09 Relevance: .1, Instructions: 90COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 8f0a9796e45887dd3592cc22aa8eed16bf48362d2f99a3761cbc65a552f7ae4a
                                                                                                                  • Instruction ID: 42b0f73a1e739b94c12c1de2112f07f71548789c3fa8953ca7e28197e3c57c9b
                                                                                                                  • Opcode Fuzzy Hash: 8f0a9796e45887dd3592cc22aa8eed16bf48362d2f99a3761cbc65a552f7ae4a
                                                                                                                  • Instruction Fuzzy Hash: 3F213A323002015BEBA59B39E8D86BF7AA7BFD561471480B7F407CB394EE25CC429792
                                                                                                                  Function 054ACC18 Relevance: .1, Instructions: 87COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d8f5f2ac8e789ae56e9a5eeebf0e569eb4658ef655d10b0adf9c50726eef9f75
                                                                                                                  • Instruction ID: 4485bc5d99d746e3b625fca44ba7bc1616a3019ebd49fd0d4f8114017eb8d325
                                                                                                                  • Opcode Fuzzy Hash: d8f5f2ac8e789ae56e9a5eeebf0e569eb4658ef655d10b0adf9c50726eef9f75
                                                                                                                  • Instruction Fuzzy Hash: D521C5323042014BEBA59A29D8987BF6AA7BFD5614F24807AE507CB394EE25CC429381
                                                                                                                  Function 054ADA58 Relevance: .1, Instructions: 87COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: ca923bb33520ecdffe21d79c5c2f404ad4a824ff65a4f5e498631f238965cbb4
                                                                                                                  • Instruction ID: 7ca6f04ef7509d4e52c1f91049e7ec0cc469f6feb025cfed490d98b2cfac5087
                                                                                                                  • Opcode Fuzzy Hash: ca923bb33520ecdffe21d79c5c2f404ad4a824ff65a4f5e498631f238965cbb4
                                                                                                                  • Instruction Fuzzy Hash: FC316F71E046099FCB04CF69C8CCAEEBBB6BF89310B15819AE556A77A5C7309C41CB94
                                                                                                                  Function 00CAD005 Relevance: .1, Instructions: 78COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2905209619.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_cad000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9770765758996f24bbfad1e70fc89070e3f2c4d8faa654440ed442ea86d290f3
                                                                                                                  • Instruction ID: 4554dc45a5048d54c63ca3a152876d1473ce0678c733115a5ad65ec5b8123c97
                                                                                                                  • Opcode Fuzzy Hash: 9770765758996f24bbfad1e70fc89070e3f2c4d8faa654440ed442ea86d290f3
                                                                                                                  • Instruction Fuzzy Hash: 07315E7550D3C49FC7138B24C990711BF71AB57218F29C5DBD98A8F6A3C23A980ACB62
                                                                                                                  Function 00DF18C8 Relevance: .1, Instructions: 77COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5869bec9338469622aa02a3b290a8b4214f925920e93f45941809203cff44e57
                                                                                                                  • Instruction ID: ae446ee921d33e72a2d4a3658ba17f6e3abbfa095630a81b0ae64c688b2bb627
                                                                                                                  • Opcode Fuzzy Hash: 5869bec9338469622aa02a3b290a8b4214f925920e93f45941809203cff44e57
                                                                                                                  • Instruction Fuzzy Hash: F721C179A0010A9FCB14DF34C4509BE37A5EB99764B15C01DD95E9B340EA34EE06CBE2
                                                                                                                  Function 00CAD030 Relevance: .1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2905209619.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_cad000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fd44c8aec1485f0f3bd7d01a8f48eec7d2e00e7a47131b91dcd5fcc8fbae9613
                                                                                                                  • Instruction ID: 0550860e328399ad4bc3878d842f17b92c759d6477e4f25b9e4a2cf708c143f1
                                                                                                                  • Opcode Fuzzy Hash: fd44c8aec1485f0f3bd7d01a8f48eec7d2e00e7a47131b91dcd5fcc8fbae9613
                                                                                                                  • Instruction Fuzzy Hash: 4B213471504201DFCB10DF14D9C0B26BBA5FB85318F20C56DD84B4B696C33AD847CA62
                                                                                                                  Function 054A6BC8 Relevance: .1, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6956c81065970e6f3c3c5bdd7696b767afbf6490c4d0ee9df051b1bcd6f1ca5c
                                                                                                                  • Instruction ID: 99a0d888e7ff7fe55b817bfba136da3b098cef8268a94eb3f0c464cd0031c0b2
                                                                                                                  • Opcode Fuzzy Hash: 6956c81065970e6f3c3c5bdd7696b767afbf6490c4d0ee9df051b1bcd6f1ca5c
                                                                                                                  • Instruction Fuzzy Hash: 691108363082946FCF466F7858186AF3FB7EFC9240B14446AE545D7382CF344D168796
                                                                                                                  Function 00DF0EC8 Relevance: .1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: e7df7226f7beafb7fc66eac5dc044b8d806f548bdd30f1644871bfe520e699de
                                                                                                                  • Instruction ID: 1253f1d964413f5428a6564da943a0b58398b7d71af64e24fd582701de8719c6
                                                                                                                  • Opcode Fuzzy Hash: e7df7226f7beafb7fc66eac5dc044b8d806f548bdd30f1644871bfe520e699de
                                                                                                                  • Instruction Fuzzy Hash: 5821BE70E012099FCB09EFB9C4403AEBBB2EF89308F11C5A9E4049B385DBB09A45CF51
                                                                                                                  Function 054AB518 Relevance: .1, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: aba130c4ea48728553f064cdc6ca9828e6d07e7420fbe55d13c12a7279ffab2f
                                                                                                                  • Instruction ID: 58c03775374a9349ae0de5c4fc2eaa6655493dbcbe850719f36a4304f0e5dd61
                                                                                                                  • Opcode Fuzzy Hash: aba130c4ea48728553f064cdc6ca9828e6d07e7420fbe55d13c12a7279ffab2f
                                                                                                                  • Instruction Fuzzy Hash: 77218C72900208EFCB24CF54C808FEBBBB6FB68314F0085AAE55A9B251D771D954CF91
                                                                                                                  Function 00DF17B8 Relevance: .1, Instructions: 60COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c5f11a117c994c3cb22cb17a9dc23f06e1a6638b1ad26647d8ba982f761ffcf7
                                                                                                                  • Instruction ID: d4a800910d73f11f98d8451620aa61b449775c630e015ecbe24c6a6fece03633
                                                                                                                  • Opcode Fuzzy Hash: c5f11a117c994c3cb22cb17a9dc23f06e1a6638b1ad26647d8ba982f761ffcf7
                                                                                                                  • Instruction Fuzzy Hash: 34210775D15249CFCB05DFA9D9546EDBFF0EF4A310F04826AD405B7261EB304A89CBA1
                                                                                                                  Function 00DFBB48 Relevance: .1, Instructions: 60COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4c9e22c7ea408f851b2d93d15479d336b1ae239d72166d40ae53026f14b58813
                                                                                                                  • Instruction ID: 9309957af60bf982153fbf9f48dfd86559743c29b8ad1e703f21af41bbb896f7
                                                                                                                  • Opcode Fuzzy Hash: 4c9e22c7ea408f851b2d93d15479d336b1ae239d72166d40ae53026f14b58813
                                                                                                                  • Instruction Fuzzy Hash: A6114F757002088FC714DB69D988A66B7E6FF99721B25846AE249CF364CB71EC44CB60
                                                                                                                  Function 054A67A0 Relevance: .1, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 31e653583fd0cf084ca4a8830b9efea1d1fa2f8c2000b4ad79e3896deb6173bb
                                                                                                                  • Instruction ID: d026753c1fd59e94e96c560e7586e92f6583a0ea074619d11ffc44951eda633b
                                                                                                                  • Opcode Fuzzy Hash: 31e653583fd0cf084ca4a8830b9efea1d1fa2f8c2000b4ad79e3896deb6173bb
                                                                                                                  • Instruction Fuzzy Hash: 081167B2800249DFCB10DF99C844BEFBFF4EB58320F14841AEA14A7211C335A950CFA0
                                                                                                                  Function 054A6E70 Relevance: .1, Instructions: 55COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 87e8fee66f1944817658fc25c4d067ba3d8b86638ece55e704ab5356d11a92c8
                                                                                                                  • Instruction ID: d38388e94ef874f88c8fe1ebfe355009f4185c19e783f2d30f85092ffc05b5be
                                                                                                                  • Opcode Fuzzy Hash: 87e8fee66f1944817658fc25c4d067ba3d8b86638ece55e704ab5356d11a92c8
                                                                                                                  • Instruction Fuzzy Hash: 6D1123B680024ADFDB10DF99C845BDEBFF4EB48320F14841AEA18A7251C739A590DFA5
                                                                                                                  Function 054A6399 Relevance: .1, Instructions: 54COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 87d7580779a34a7b19aeff8bda7a41439c9f0f5a0b2a5a3dc41592ebf511147b
                                                                                                                  • Instruction ID: 9dda555e6f2e54cc580edd05c50b8dffca38caa743d660979a24fc5012a86a73
                                                                                                                  • Opcode Fuzzy Hash: 87d7580779a34a7b19aeff8bda7a41439c9f0f5a0b2a5a3dc41592ebf511147b
                                                                                                                  • Instruction Fuzzy Hash: DF110075F00548CFDB04DFB8D850BEEBBB2EB58311F059466E909E7349DA3099868B51
                                                                                                                  Function 00DFBB37 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fbfeb5021f24b4895a69fa2cee2ebde541c289034721a9d5a8d5d5b8f80fecc1
                                                                                                                  • Instruction ID: c2b877c1178df29fa29da215d17d8956d695e6f9e4e4a711949b28959b0646eb
                                                                                                                  • Opcode Fuzzy Hash: fbfeb5021f24b4895a69fa2cee2ebde541c289034721a9d5a8d5d5b8f80fecc1
                                                                                                                  • Instruction Fuzzy Hash: 73117C317042048FD7149B25D948A66B7E5EF89720B1A80AEE249CF365CB71DC05CB61
                                                                                                                  Function 00DF4859 Relevance: .1, Instructions: 51COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 14c3a2a81987b6e00e39a1ce3d641b88a84a4238f5c721b1b39e1599e89bedf9
                                                                                                                  • Instruction ID: 71269ec46a26f2491fee5cd73ecd845a8ad23726757d88d62a0b015901f09d48
                                                                                                                  • Opcode Fuzzy Hash: 14c3a2a81987b6e00e39a1ce3d641b88a84a4238f5c721b1b39e1599e89bedf9
                                                                                                                  • Instruction Fuzzy Hash: 2201A732B002195FD724AB768D4867F76EBAFC8664315C439DA09D7714FE70CC0547A1
                                                                                                                  Function 00DF4860 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c20c5ffe9e514848525d09a60ec3aad6f06c817a378e72b1594e4e505b038d8e
                                                                                                                  • Instruction ID: 81527614426caa5960a92f5d827e4aac99dfff766c47831f0024852e38499918
                                                                                                                  • Opcode Fuzzy Hash: c20c5ffe9e514848525d09a60ec3aad6f06c817a378e72b1594e4e505b038d8e
                                                                                                                  • Instruction Fuzzy Hash: 2E01D632B002155FD714AB7A894867F76EBAFC86643158839DA09C7314FF70CC0647A1
                                                                                                                  Function 00DFA508 Relevance: .0, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 07aeea6e1e35ee114c20734bb4dbd7672b09be8a84f251940f56ef70b2ad40cf
                                                                                                                  • Instruction ID: c90e963c6bae2d03d1ce4496a6bd71bdd70c8feef2746a4e5ceade336c453d7f
                                                                                                                  • Opcode Fuzzy Hash: 07aeea6e1e35ee114c20734bb4dbd7672b09be8a84f251940f56ef70b2ad40cf
                                                                                                                  • Instruction Fuzzy Hash: 31014C75E102199FCF18AF69D8495BE7FB6EB88350B108429FA1A97341DE309D10CBA1
                                                                                                                  Function 054AA580 Relevance: .0, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6d121b7637d949070728bc5fd308e67649aa4c2adb383ea6cfa79330a0e1db48
                                                                                                                  • Instruction ID: 42b44f1e4a974e52ac2d506b4d2b353d70a78c585cf1eeaf087c274cc9cea990
                                                                                                                  • Opcode Fuzzy Hash: 6d121b7637d949070728bc5fd308e67649aa4c2adb383ea6cfa79330a0e1db48
                                                                                                                  • Instruction Fuzzy Hash: E10126336082497FCB018E51AC04EDF3B67EBC9740F048066FA05C7240D634C925DBE5
                                                                                                                  Function 054AA590 Relevance: .0, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 396b5ca67cbe07d5477f1ce69468615680ff67db84457cf6345374684dce3449
                                                                                                                  • Instruction ID: 42c11efa9618dda0c68d8dd0d14f935b688502bb15527718b288173ba6fcc617
                                                                                                                  • Opcode Fuzzy Hash: 396b5ca67cbe07d5477f1ce69468615680ff67db84457cf6345374684dce3449
                                                                                                                  • Instruction Fuzzy Hash: 1501A232B041197BCB559E569808AEF3BABEBC8750B14802AFA06D7380DA71CD11DB95
                                                                                                                  Function 00DFA4F9 Relevance: .0, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f7d38f67b3eb063dccc21aae40b70868a547ab504b2328150eb44923ce06dff2
                                                                                                                  • Instruction ID: 9bae7e83a2f2a9b947960168fc81ceab19e722ed40575f54acfcd96d8ebfed6e
                                                                                                                  • Opcode Fuzzy Hash: f7d38f67b3eb063dccc21aae40b70868a547ab504b2328150eb44923ce06dff2
                                                                                                                  • Instruction Fuzzy Hash: 70010CB1A1011A9FCB18DF68D8555FE7FB5EB88310B51812AF95997341DB308911CBA2
                                                                                                                  Function 00DFBEF8 Relevance: .0, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0d0407597cdf8e8814b463fc6f009a43938e503c2784d99cfe6bc1c089f97af0
                                                                                                                  • Instruction ID: e29010c757e169e958633f42e472afa23dfbfe2d38006bb4284d47f46b4e30c8
                                                                                                                  • Opcode Fuzzy Hash: 0d0407597cdf8e8814b463fc6f009a43938e503c2784d99cfe6bc1c089f97af0
                                                                                                                  • Instruction Fuzzy Hash: 92F028327002045BC7082B78DC0A5BD3FABEFC9721B18402AF606C7381DE35CC428690
                                                                                                                  Function 00DFC1B0 Relevance: .0, Instructions: 36COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 128561b331af835f242eb14f636732a498a3ec86f447439e8e75ba78a653fc20
                                                                                                                  • Instruction ID: 77bec0d2f71af45107953afcb636a0e190149d923fdd207775eb5ff28edf1b34
                                                                                                                  • Opcode Fuzzy Hash: 128561b331af835f242eb14f636732a498a3ec86f447439e8e75ba78a653fc20
                                                                                                                  • Instruction Fuzzy Hash: 49F0A732B006199BC7195A69E4159BEB7AADFC5731715407BF609DB351CF31DC0287B0
                                                                                                                  Function 00DFB9EA Relevance: .0, Instructions: 35COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 75eea5ace6c65cea386c332416bb4462312c8887a28cd6558c64679680087d81
                                                                                                                  • Instruction ID: 848f12dfc661c31f7cd2077e9393c1f93637c60055f0f76aefd4d481d013938d
                                                                                                                  • Opcode Fuzzy Hash: 75eea5ace6c65cea386c332416bb4462312c8887a28cd6558c64679680087d81
                                                                                                                  • Instruction Fuzzy Hash: C8F09076A04208AFCB50DFA9D941AEFBBF5FF48360B54853AD609E3205D77496028BE1
                                                                                                                  Function 00DFB9F8 Relevance: .0, Instructions: 31COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3cb9b676344a8aebb4eed5e905ea6ebb7bfaf1f0732d115dff48bcd2dc194272
                                                                                                                  • Instruction ID: 3e7a11cdb563ca061039c5ec882fd6abc48c2d542125a79309a98e777ef43e93
                                                                                                                  • Opcode Fuzzy Hash: 3cb9b676344a8aebb4eed5e905ea6ebb7bfaf1f0732d115dff48bcd2dc194272
                                                                                                                  • Instruction Fuzzy Hash: F0F089719042089F8B50DFADD8409AFFBF5FB88350B104536D605D3211D77099158BE1
                                                                                                                  Function 00DF46D8 Relevance: .0, Instructions: 25COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: aabd916c6a8107a78ffff34055532e4835e56b8177a6ae1cc6c483c919ebc5a9
                                                                                                                  • Instruction ID: 13e0af6e853a2929ba5f378cfdbe75a34740a50f5a1a9011f85f9ae16781abb6
                                                                                                                  • Opcode Fuzzy Hash: aabd916c6a8107a78ffff34055532e4835e56b8177a6ae1cc6c483c919ebc5a9
                                                                                                                  • Instruction Fuzzy Hash: 46E00935822B068FD2542F65BDAC37EBAA5EB0B31BB85ED00B10E921319F7044548A54
                                                                                                                  Function 00DF46D7 Relevance: .0, Instructions: 25COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 4e3df57b11bd99921b50064b2de570401e2366e4120fa596eaef5e987d616b51
                                                                                                                  • Instruction ID: 7c73755fa4a8fb4f5e6dba3de29d7933b83d3e10d9a367384e42e764975b8adf
                                                                                                                  • Opcode Fuzzy Hash: 4e3df57b11bd99921b50064b2de570401e2366e4120fa596eaef5e987d616b51
                                                                                                                  • Instruction Fuzzy Hash: 45E07E34825A029FD3142B60ACAC3AEBA61EB0B31BB45AD04B00A92131CF7004448A14
                                                                                                                  Function 00DF1877 Relevance: .0, Instructions: 23COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 291e3a3da9ac26a47bc4c035c7cc2d0641a70afbd707501ed469c700d7ce26ce
                                                                                                                  • Instruction ID: 99fe872f91e8d0724899abbda43501a7210d8dcbf984b2ad5ed2a2cd051b757d
                                                                                                                  • Opcode Fuzzy Hash: 291e3a3da9ac26a47bc4c035c7cc2d0641a70afbd707501ed469c700d7ce26ce
                                                                                                                  • Instruction Fuzzy Hash: DEE02632D202264BCB02DEB098405EEFB70AF91310F80462AC05873040FB70115E8A92
                                                                                                                  Function 054AAD81 Relevance: .0, Instructions: 20COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fa6f7ad6500af67e17f820fe60bb82dcaffead5014a6c45ad276e5b164cd1e97
                                                                                                                  • Instruction ID: a8b5765b654dbbad9444f6926f8561e34e0ac36786c8755e0c7a23ee9234cc56
                                                                                                                  • Opcode Fuzzy Hash: fa6f7ad6500af67e17f820fe60bb82dcaffead5014a6c45ad276e5b164cd1e97
                                                                                                                  • Instruction Fuzzy Hash: 13E0C23400E3890EC702A774AC198D67F3D9B8120074549E2F0C14A27FDA646AE98BA0
                                                                                                                  Function 00DF1888 Relevance: .0, Instructions: 19COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: db6d64bfb030731b76dd5dcfc3b18d666834222e1595a4a3668073b7684ba9c7
                                                                                                                  • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                                                  • Opcode Fuzzy Hash: db6d64bfb030731b76dd5dcfc3b18d666834222e1595a4a3668073b7684ba9c7
                                                                                                                  • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                                                  Function 054AD95D Relevance: .0, Instructions: 16COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a8969a5fe01ae1a9618a34715a288a1403348b8bfc0fc162b14b7694a6dcb205
                                                                                                                  • Instruction ID: babd66bc286291f5bfa23d252a5615f14c0c73975251a88dd7dddc82b21fb148
                                                                                                                  • Opcode Fuzzy Hash: a8969a5fe01ae1a9618a34715a288a1403348b8bfc0fc162b14b7694a6dcb205
                                                                                                                  • Instruction Fuzzy Hash: 74D0673AB40018EFCB149F99EC54CDDF7B6FB98221B148116EA15A3261C6319925DB54
                                                                                                                  Function 054AAD90 Relevance: .0, Instructions: 12COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6bfea35ce7fbb5f1c05d0e7358792da719319be03a962b4e0f50372a10277cf3
                                                                                                                  • Instruction ID: 2f452ea796bff2d6673c7d03c79634f80236a0f97248b8da7a2b4ca413cbac51
                                                                                                                  • Opcode Fuzzy Hash: 6bfea35ce7fbb5f1c05d0e7358792da719319be03a962b4e0f50372a10277cf3
                                                                                                                  • Instruction Fuzzy Hash: 2EC0123004470D4EC501F765F949959773EA6803007809560A1050A37EEF7459E94A90
                                                                                                                  Function 00DF4831 Relevance: .0, Instructions: 8COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a79fd1d5dca97bd830171e46a921cc5122f8a8ab40a589d3512aefb4c78a47fb
                                                                                                                  • Instruction ID: 9c8d600b5f03733433975946d2179fb829b9e91bde929eb73ca8117106094de9
                                                                                                                  • Opcode Fuzzy Hash: a79fd1d5dca97bd830171e46a921cc5122f8a8ab40a589d3512aefb4c78a47fb
                                                                                                                  • Instruction Fuzzy Hash: A1C04C7444D3C94FCB5B477055254667FA0AE4725071A44DB90519A863E55C49098711

                                                                                                                  Non-executed Functions

                                                                                                                  Function 054ABC50 Relevance: 5.3, Strings: 4, Instructions: 272COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2911193924.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_54a0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: (o^q$(o^q$(o^q$(o^q
                                                                                                                  • API String ID: 0-1978863864
                                                                                                                  • Opcode ID: a4da9162259a7489de57233b206b0e973ed746647c67f9484791210f7bfdcfd8
                                                                                                                  • Instruction ID: 242d955c9a760cf83839161b8c155424f408ed4ce5b052e4138a327b748502a9
                                                                                                                  • Opcode Fuzzy Hash: a4da9162259a7489de57233b206b0e973ed746647c67f9484791210f7bfdcfd8
                                                                                                                  • Instruction Fuzzy Hash: EBC12531A042099FCB94CFA9C984AEEBBF2BF58314F14859AE915AB361D731ED41CF50
                                                                                                                  Function 00DF1A40 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000006.00000002.2906422903.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_6_2_df0000_MB263350411AE_1.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                  • API String ID: 0-2732225958
                                                                                                                  • Opcode ID: 4409824e41e397f8bd12b3a293b84bb066bca93cc7a675730b69650cc06c1777
                                                                                                                  • Instruction ID: 8a038199ab903db8f0113ff6ee6da56fdcba6b182462da0d424f578a2f4b58f7
                                                                                                                  • Opcode Fuzzy Hash: 4409824e41e397f8bd12b3a293b84bb066bca93cc7a675730b69650cc06c1777
                                                                                                                  • Instruction Fuzzy Hash: 58319674E0121DCBDF64CF6985403BEBAE6AF95310F16C479C659A7254EB30CD81CBA2

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:10.4%
                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                  Signature Coverage:0%
                                                                                                                  Total number of Nodes:250
                                                                                                                  Total number of Limit Nodes:18
                                                                                                                  execution_graph 45197 5834132 45201 5834160 45197->45201 45205 5834150 45197->45205 45198 583414a 45202 58341a2 45201->45202 45204 58341a9 45201->45204 45203 58341fa CallWindowProcW 45202->45203 45202->45204 45203->45204 45204->45198 45206 5834160 45205->45206 45207 58341fa CallWindowProcW 45206->45207 45208 58341a9 45206->45208 45207->45208 45208->45198 44913 77303b7 44914 77300c9 44913->44914 44914->44913 44915 77303a4 44914->44915 44919 7732233 44914->44919 44936 77322a6 44914->44936 44954 7732240 44914->44954 44920 7732234 44919->44920 44921 7732262 44920->44921 44971 773295a 44920->44971 44976 7732ab4 44920->44976 44984 7732854 44920->44984 44989 7732b75 44920->44989 44993 7732c95 44920->44993 45001 7732570 44920->45001 45007 77328b1 44920->45007 45019 7732828 44920->45019 45024 773300a 44920->45024 45033 7732dc4 44920->45033 45042 7732665 44920->45042 45048 7732561 44920->45048 45054 7732bc2 44920->45054 45058 77327be 44920->45058 44921->44914 44937 7732234 44936->44937 44939 77322a9 44936->44939 44938 7732262 44937->44938 44940 77328b1 6 API calls 44937->44940 44941 7732570 2 API calls 44937->44941 44942 7732c95 4 API calls 44937->44942 44943 7732b75 2 API calls 44937->44943 44944 7732854 2 API calls 44937->44944 44945 7732ab4 4 API calls 44937->44945 44946 773295a 2 API calls 44937->44946 44947 77327be 4 API calls 44937->44947 44948 7732bc2 2 API calls 44937->44948 44949 7732561 2 API calls 44937->44949 44950 7732665 2 API calls 44937->44950 44951 7732dc4 4 API calls 44937->44951 44952 773300a 4 API calls 44937->44952 44953 7732828 2 API calls 44937->44953 44938->44914 44939->44914 44940->44938 44941->44938 44942->44938 44943->44938 44944->44938 44945->44938 44946->44938 44947->44938 44948->44938 44949->44938 44950->44938 44951->44938 44952->44938 44953->44938 44955 7732243 44954->44955 44956 7732262 44955->44956 44957 77328b1 6 API calls 44955->44957 44958 7732570 2 API calls 44955->44958 44959 7732c95 4 API calls 44955->44959 44960 7732b75 2 API calls 44955->44960 44961 7732854 2 API calls 44955->44961 44962 7732ab4 4 API calls 44955->44962 44963 773295a 2 API calls 44955->44963 44964 77327be 4 API calls 44955->44964 44965 7732bc2 2 API calls 44955->44965 44966 7732561 2 API calls 44955->44966 44967 7732665 2 API calls 44955->44967 44968 7732dc4 4 API calls 44955->44968 44969 773300a 4 API calls 44955->44969 44970 7732828 2 API calls 44955->44970 44956->44914 44957->44956 44958->44956 44959->44956 44960->44956 44961->44956 44962->44956 44963->44956 44964->44956 44965->44956 44966->44956 44967->44956 44968->44956 44969->44956 44970->44956 44972 773296b 44971->44972 45066 8e8f9c8 44972->45066 45070 8e8f9d0 44972->45070 44973 773296e 44973->44921 44978 7732d7a 44976->44978 44979 7732ac1 44976->44979 44977 7732feb 45074 8e8f348 44978->45074 45078 8e8f350 44978->45078 45082 8e8f3f9 44979->45082 45086 8e8f400 44979->45086 44985 7732b3e 44984->44985 45090 8e8f908 44985->45090 45094 8e8f910 44985->45094 44986 7732b5f 44991 8e8f9c8 WriteProcessMemory 44989->44991 44992 8e8f9d0 WriteProcessMemory 44989->44992 44990 7732ba3 44991->44990 44992->44990 44994 7732c9b 44993->44994 44999 8e8f348 ResumeThread 44994->44999 45000 8e8f350 ResumeThread 44994->45000 44995 7732f9e 44997 8e8f3f9 Wow64SetThreadContext 44995->44997 44998 8e8f400 Wow64SetThreadContext 44995->44998 44996 7732feb 44997->44996 44998->44996 44999->44995 45000->44995 45002 77325a3 45001->45002 45003 77326fc 45002->45003 45098 8e8fc58 45002->45098 45102 8e8fc4c 45002->45102 45003->44921 45008 7732ce5 45007->45008 45017 8e8f9c8 WriteProcessMemory 45008->45017 45018 8e8f9d0 WriteProcessMemory 45008->45018 45009 77327b4 45010 77327c6 45009->45010 45013 8e8f348 ResumeThread 45009->45013 45014 8e8f350 ResumeThread 45009->45014 45010->44921 45011 7732f9e 45015 8e8f3f9 Wow64SetThreadContext 45011->45015 45016 8e8f400 Wow64SetThreadContext 45011->45016 45012 7732feb 45013->45011 45014->45011 45015->45012 45016->45012 45017->45009 45018->45009 45020 7732c03 45019->45020 45022 8e8f3f9 Wow64SetThreadContext 45020->45022 45023 8e8f400 Wow64SetThreadContext 45020->45023 45021 7732c1e 45021->44921 45022->45021 45023->45021 45025 77327b4 45024->45025 45026 77327c6 45025->45026 45029 8e8f348 ResumeThread 45025->45029 45030 8e8f350 ResumeThread 45025->45030 45026->44921 45027 7732f9e 45031 8e8f3f9 Wow64SetThreadContext 45027->45031 45032 8e8f400 Wow64SetThreadContext 45027->45032 45028 7732feb 45029->45027 45030->45027 45031->45028 45032->45028 45034 77327b4 45033->45034 45035 77327c6 45034->45035 45038 8e8f348 ResumeThread 45034->45038 45039 8e8f350 ResumeThread 45034->45039 45035->44921 45036 7732f9e 45040 8e8f3f9 Wow64SetThreadContext 45036->45040 45041 8e8f400 Wow64SetThreadContext 45036->45041 45037 7732feb 45038->45036 45039->45036 45040->45037 45041->45037 45043 77326fc 45042->45043 45044 773262f 45042->45044 45043->44921 45044->45043 45046 8e8fc58 CreateProcessA 45044->45046 45047 8e8fc4c CreateProcessA 45044->45047 45045 7732795 45045->44921 45046->45045 45047->45045 45050 7732568 45048->45050 45049 77326fc 45049->44921 45050->45049 45052 8e8fc58 CreateProcessA 45050->45052 45053 8e8fc4c CreateProcessA 45050->45053 45051 7732795 45051->44921 45052->45051 45053->45051 45106 8e8fab9 45054->45106 45110 8e8fac0 45054->45110 45055 7732be4 45055->44921 45059 77327bf 45058->45059 45064 8e8f348 ResumeThread 45059->45064 45065 8e8f350 ResumeThread 45059->45065 45060 7732f9e 45062 8e8f3f9 Wow64SetThreadContext 45060->45062 45063 8e8f400 Wow64SetThreadContext 45060->45063 45061 7732feb 45062->45061 45063->45061 45064->45060 45065->45060 45067 8e8f9d0 WriteProcessMemory 45066->45067 45069 8e8fa6f 45067->45069 45069->44973 45071 8e8fa18 WriteProcessMemory 45070->45071 45073 8e8fa6f 45071->45073 45073->44973 45075 8e8f390 ResumeThread 45074->45075 45077 8e8f3c1 45075->45077 45077->44979 45079 8e8f390 ResumeThread 45078->45079 45081 8e8f3c1 45079->45081 45081->44979 45083 8e8f445 Wow64SetThreadContext 45082->45083 45085 8e8f48d 45083->45085 45085->44977 45087 8e8f445 Wow64SetThreadContext 45086->45087 45089 8e8f48d 45087->45089 45089->44977 45091 8e8f910 VirtualAllocEx 45090->45091 45093 8e8f98d 45091->45093 45093->44986 45095 8e8f950 VirtualAllocEx 45094->45095 45097 8e8f98d 45095->45097 45097->44986 45099 8e8fce1 CreateProcessA 45098->45099 45101 8e8fea3 45099->45101 45103 8e8fc58 CreateProcessA 45102->45103 45105 8e8fea3 45103->45105 45107 8e8fac0 ReadProcessMemory 45106->45107 45109 8e8fb4f 45107->45109 45109->45055 45111 8e8fb0b ReadProcessMemory 45110->45111 45113 8e8fb4f 45111->45113 45113->45055 45123 31dd378 45124 31dd37d 45123->45124 45128 31dd558 45124->45128 45132 31dd547 45124->45132 45125 31dd4ab 45129 31dd559 45128->45129 45136 31db3b0 45129->45136 45133 31dd554 45132->45133 45134 31db3b0 DuplicateHandle 45133->45134 45135 31dd586 45134->45135 45135->45125 45137 31dd9c8 DuplicateHandle 45136->45137 45139 31dd586 45137->45139 45139->45125 45209 31d4668 45210 31d4669 45209->45210 45211 31d4686 45210->45211 45213 31d4778 45210->45213 45214 31d477c 45213->45214 45218 31d4878 45214->45218 45222 31d4888 45214->45222 45220 31d487c 45218->45220 45219 31d498c 45219->45219 45220->45219 45226 31d44f0 45220->45226 45224 31d4889 45222->45224 45223 31d498c 45223->45223 45224->45223 45225 31d44f0 CreateActCtxA 45224->45225 45225->45223 45227 31d5918 CreateActCtxA 45226->45227 45229 31d59db 45227->45229 45229->45229 45140 8e83800 45141 8e83827 45140->45141 45142 8e838dd 45141->45142 45145 8e84368 45141->45145 45152 8e84309 45141->45152 45146 8e8437d 45145->45146 45159 8e845d8 45146->45159 45165 8e84443 45146->45165 45170 8e843b0 45146->45170 45175 8e843a0 45146->45175 45147 8e84392 45147->45141 45153 8e84368 45152->45153 45155 8e845d8 PostMessageW 45153->45155 45156 8e843a0 PostMessageW 45153->45156 45157 8e843b0 PostMessageW 45153->45157 45158 8e84443 PostMessageW 45153->45158 45154 8e84392 45154->45141 45155->45154 45156->45154 45157->45154 45158->45154 45160 8e845f7 45159->45160 45162 8e843f6 45159->45162 45160->45147 45161 8e8450a 45161->45147 45162->45161 45180 7733538 45162->45180 45184 7733528 45162->45184 45167 8e843f6 45165->45167 45166 8e8450a 45166->45147 45167->45166 45168 7733538 PostMessageW 45167->45168 45169 7733528 PostMessageW 45167->45169 45168->45167 45169->45167 45172 8e843d7 45170->45172 45171 8e8450a 45171->45147 45172->45171 45173 7733538 PostMessageW 45172->45173 45174 7733528 PostMessageW 45172->45174 45173->45172 45174->45172 45177 8e843d7 45175->45177 45176 8e8450a 45176->45147 45177->45176 45178 7733538 PostMessageW 45177->45178 45179 7733528 PostMessageW 45177->45179 45178->45177 45179->45177 45181 773353b 45180->45181 45182 7733550 45181->45182 45188 773355b 45181->45188 45182->45162 45185 773352c 45184->45185 45186 7733550 45185->45186 45187 773355b PostMessageW 45185->45187 45186->45162 45187->45186 45189 7733562 45188->45189 45190 7733588 45188->45190 45189->45182 45191 7733723 45190->45191 45193 773082c 45190->45193 45191->45182 45191->45191 45194 7733818 PostMessageW 45193->45194 45196 7733884 45194->45196 45196->45190 45114 31daed0 45115 31daed1 45114->45115 45118 31db3c1 45115->45118 45116 31daedf 45120 31db3d0 45118->45120 45119 31db404 45119->45116 45120->45119 45121 31db608 GetModuleHandleW 45120->45121 45122 31db635 45121->45122 45122->45116

                                                                                                                  Executed Functions

                                                                                                                  Function 08E8FC4C Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 449 8e8fc4c-8e8fced 452 8e8fcef-8e8fcf9 449->452 453 8e8fd26-8e8fd46 449->453 452->453 454 8e8fcfb-8e8fcfd 452->454 460 8e8fd48-8e8fd52 453->460 461 8e8fd7f-8e8fdae 453->461 455 8e8fcff-8e8fd09 454->455 456 8e8fd20-8e8fd23 454->456 458 8e8fd0b 455->458 459 8e8fd0d-8e8fd1c 455->459 456->453 458->459 459->459 462 8e8fd1e 459->462 460->461 463 8e8fd54-8e8fd56 460->463 469 8e8fdb0-8e8fdba 461->469 470 8e8fde7-8e8fea1 CreateProcessA 461->470 462->456 465 8e8fd58-8e8fd62 463->465 466 8e8fd79-8e8fd7c 463->466 467 8e8fd64 465->467 468 8e8fd66-8e8fd75 465->468 466->461 467->468 468->468 471 8e8fd77 468->471 469->470 472 8e8fdbc-8e8fdbe 469->472 481 8e8feaa-8e8ff30 470->481 482 8e8fea3-8e8fea9 470->482 471->466 474 8e8fdc0-8e8fdca 472->474 475 8e8fde1-8e8fde4 472->475 476 8e8fdcc 474->476 477 8e8fdce-8e8fddd 474->477 475->470 476->477 477->477 479 8e8fddf 477->479 479->475 492 8e8ff40-8e8ff44 481->492 493 8e8ff32-8e8ff36 481->493 482->481 495 8e8ff54-8e8ff58 492->495 496 8e8ff46-8e8ff4a 492->496 493->492 494 8e8ff38 493->494 494->492 497 8e8ff68-8e8ff6c 495->497 498 8e8ff5a-8e8ff5e 495->498 496->495 499 8e8ff4c 496->499 501 8e8ff7e-8e8ff85 497->501 502 8e8ff6e-8e8ff74 497->502 498->497 500 8e8ff60 498->500 499->495 500->497 503 8e8ff9c 501->503 504 8e8ff87-8e8ff96 501->504 502->501 506 8e8ff9d 503->506 504->503 506->506
                                                                                                                  APIs
                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08E8FE8E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 963392458-0
                                                                                                                  • Opcode ID: a376221594613a072642e67e4d492bc9341780db268ffa6088967c52ad601797
                                                                                                                  • Instruction ID: 425ab82ee9c551662ac3a0c23e0d42cab44fc0eed0154c1df5d22819a0a8697a
                                                                                                                  • Opcode Fuzzy Hash: a376221594613a072642e67e4d492bc9341780db268ffa6088967c52ad601797
                                                                                                                  • Instruction Fuzzy Hash: 5F916B72D00219DFDB20DFA8C8417DDBBB2BF49315F1485A9E85CA7280DB749985CF91
                                                                                                                  Function 08E8FC58 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 507 8e8fc58-8e8fced 509 8e8fcef-8e8fcf9 507->509 510 8e8fd26-8e8fd46 507->510 509->510 511 8e8fcfb-8e8fcfd 509->511 517 8e8fd48-8e8fd52 510->517 518 8e8fd7f-8e8fdae 510->518 512 8e8fcff-8e8fd09 511->512 513 8e8fd20-8e8fd23 511->513 515 8e8fd0b 512->515 516 8e8fd0d-8e8fd1c 512->516 513->510 515->516 516->516 519 8e8fd1e 516->519 517->518 520 8e8fd54-8e8fd56 517->520 526 8e8fdb0-8e8fdba 518->526 527 8e8fde7-8e8fea1 CreateProcessA 518->527 519->513 522 8e8fd58-8e8fd62 520->522 523 8e8fd79-8e8fd7c 520->523 524 8e8fd64 522->524 525 8e8fd66-8e8fd75 522->525 523->518 524->525 525->525 528 8e8fd77 525->528 526->527 529 8e8fdbc-8e8fdbe 526->529 538 8e8feaa-8e8ff30 527->538 539 8e8fea3-8e8fea9 527->539 528->523 531 8e8fdc0-8e8fdca 529->531 532 8e8fde1-8e8fde4 529->532 533 8e8fdcc 531->533 534 8e8fdce-8e8fddd 531->534 532->527 533->534 534->534 536 8e8fddf 534->536 536->532 549 8e8ff40-8e8ff44 538->549 550 8e8ff32-8e8ff36 538->550 539->538 552 8e8ff54-8e8ff58 549->552 553 8e8ff46-8e8ff4a 549->553 550->549 551 8e8ff38 550->551 551->549 554 8e8ff68-8e8ff6c 552->554 555 8e8ff5a-8e8ff5e 552->555 553->552 556 8e8ff4c 553->556 558 8e8ff7e-8e8ff85 554->558 559 8e8ff6e-8e8ff74 554->559 555->554 557 8e8ff60 555->557 556->552 557->554 560 8e8ff9c 558->560 561 8e8ff87-8e8ff96 558->561 559->558 563 8e8ff9d 560->563 561->560 563->563
                                                                                                                  APIs
                                                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08E8FE8E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CreateProcess
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 963392458-0
                                                                                                                  • Opcode ID: b38f432d5ed0361ec909f0230e01038bf9ffe1a8fe0e9e42d640af127cbaca0c
                                                                                                                  • Instruction ID: 64dca52171c27b5c35e4c663f16876385b3b2828aa800c45da192ba02edf4c93
                                                                                                                  • Opcode Fuzzy Hash: b38f432d5ed0361ec909f0230e01038bf9ffe1a8fe0e9e42d640af127cbaca0c
                                                                                                                  • Instruction Fuzzy Hash: FA915A72D00219DFDB20DFA8C840BDDBBB2BF49315F1485AAE85CA7280DB749985CF91
                                                                                                                  Function 031DB3C1 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 564 31db3c1-31db3ce 565 31db3d5-31db3df 564->565 566 31db3d0-31db3d4 564->566 567 31db40b-31db40f 565->567 568 31db3e1-31db3ee call 31d9f4c 565->568 566->565 570 31db411-31db41b 567->570 571 31db423-31db464 567->571 575 31db404 568->575 576 31db3f0 568->576 570->571 577 31db466-31db46e 571->577 578 31db471-31db47f 571->578 575->567 623 31db3f6 call 31db659 576->623 624 31db3f6 call 31db668 576->624 577->578 579 31db481-31db486 578->579 580 31db4a3-31db4a5 578->580 582 31db488-31db48f call 31d9f58 579->582 583 31db491 579->583 585 31db4a8-31db4af 580->585 581 31db3fc-31db3fe 581->575 584 31db540-31db5be 581->584 589 31db493-31db4a1 582->589 583->589 616 31db5c5-31db600 584->616 617 31db5c0-31db5c4 584->617 586 31db4bc-31db4c3 585->586 587 31db4b1-31db4b9 585->587 590 31db4c5-31db4cd 586->590 591 31db4d0-31db4d9 call 31d9f68 586->591 587->586 589->585 590->591 597 31db4db-31db4e3 591->597 598 31db4e6-31db4eb 591->598 597->598 599 31db4ed-31db4f4 598->599 600 31db509-31db516 598->600 599->600 602 31db4f6-31db506 call 31d9f78 call 31dafbc 599->602 606 31db539-31db53f 600->606 607 31db518-31db536 600->607 602->600 607->606 618 31db608-31db633 GetModuleHandleW 616->618 619 31db602-31db605 616->619 617->616 620 31db63c-31db650 618->620 621 31db635-31db63b 618->621 619->618 621->620 623->581 624->581
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722866572.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_31d0000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 7215a89c0ec0c99791737c1c8228b419d3b059d8fe3e4285c2747c4fa4bde4d8
                                                                                                                  • Instruction ID: d15ee00dbe6f1d926149dab3ed06cd30f624a41f636148274cda2bd43ff49ff0
                                                                                                                  • Opcode Fuzzy Hash: 7215a89c0ec0c99791737c1c8228b419d3b059d8fe3e4285c2747c4fa4bde4d8
                                                                                                                  • Instruction Fuzzy Hash: B3815370A04B058FDB24DF29D54079ABBF5FF89300F148A6DE48ADBA50EB74E845CB90
                                                                                                                  Function 031D590C Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 625 31d590c-31d590e 626 31d5915-31d5916 625->626 627 31d5910-31d5912 625->627 630 31d591d-31d59d9 CreateActCtxA 626->630 631 31d5918 626->631 628 31d5919-31d591c 627->628 629 31d5914 627->629 628->630 629->626 633 31d59db-31d59e1 630->633 634 31d59e2-31d5a3c 630->634 631->628 633->634 641 31d5a3e-31d5a41 634->641 642 31d5a4b-31d5a4f 634->642 641->642 643 31d5a51-31d5a5d 642->643 644 31d5a60 642->644 643->644 646 31d5a61 644->646 646->646
                                                                                                                  APIs
                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 031D59C9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722866572.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_31d0000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Create
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2289755597-0
                                                                                                                  • Opcode ID: 3543652c88bf4fe7d586c7714ac0874c51e82eb8576b3e2d8fad63d42acc4d0c
                                                                                                                  • Instruction ID: 9b172a59804bae4a1ac7c774f60f3ed16170044190d62270f99800906e66e323
                                                                                                                  • Opcode Fuzzy Hash: 3543652c88bf4fe7d586c7714ac0874c51e82eb8576b3e2d8fad63d42acc4d0c
                                                                                                                  • Instruction Fuzzy Hash: 2341F4B0C00729CBDF18CFA9C884BDDBBB6BF4A304F24805AD419AB251DB755985CF90
                                                                                                                  Function 031D44F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 647 31d44f0-31d59d9 CreateActCtxA 652 31d59db-31d59e1 647->652 653 31d59e2-31d5a3c 647->653 652->653 660 31d5a3e-31d5a41 653->660 661 31d5a4b-31d5a4f 653->661 660->661 662 31d5a51-31d5a5d 661->662 663 31d5a60 661->663 662->663 665 31d5a61 663->665 665->665
                                                                                                                  APIs
                                                                                                                  • CreateActCtxA.KERNEL32(?), ref: 031D59C9
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722866572.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_31d0000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: Create
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2289755597-0
                                                                                                                  • Opcode ID: a01dc177721c3ef4917232eb25f6ec105dada2a16ae337d056fe349bb7ee3ce3
                                                                                                                  • Instruction ID: affb128dc09774cd94f27f8b2a12b824cc31f03a357b914e6bc40d2e3f88daae
                                                                                                                  • Opcode Fuzzy Hash: a01dc177721c3ef4917232eb25f6ec105dada2a16ae337d056fe349bb7ee3ce3
                                                                                                                  • Instruction Fuzzy Hash: A641D4B0C0072DCBDB24DFA9C884BDDBBB6BF49304F24806AD419AB255DBB55945CF90
                                                                                                                  Function 05834160 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 666 5834160-583419c 667 58341a2-58341a7 666->667 668 583424c-583426c 666->668 669 58341fa-5834232 CallWindowProcW 667->669 670 58341a9-58341e0 667->670 674 583426f-583427c 668->674 671 5834234-583423a 669->671 672 583423b-583424a 669->672 676 58341e2-58341e8 670->676 677 58341e9-58341f8 670->677 671->672 672->674 676->677 677->674
                                                                                                                  APIs
                                                                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05834221
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1745194594.0000000005830000.00000040.00000800.00020000.00000000.sdmp, Offset: 05830000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_5830000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: CallProcWindow
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2714655100-0
                                                                                                                  • Opcode ID: 2b5da6fd85610f8c9fbbf521280071dcd3e0119e91e519e5b63e3b657cfd544d
                                                                                                                  • Instruction ID: 96310afa66317830b21581de477f7df5753ec51f4aa7f71c8efc9264c31b1689
                                                                                                                  • Opcode Fuzzy Hash: 2b5da6fd85610f8c9fbbf521280071dcd3e0119e91e519e5b63e3b657cfd544d
                                                                                                                  • Instruction Fuzzy Hash: 764146B8900309CFDB14CF89C449AAABBF5FB98314F24C459E919AB321D774A841CFA0
                                                                                                                  Function 08E8F9C8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 680 8e8f9c8-8e8fa1e 683 8e8fa2e-8e8fa6d WriteProcessMemory 680->683 684 8e8fa20-8e8fa2c 680->684 686 8e8fa6f-8e8fa75 683->686 687 8e8fa76-8e8faa6 683->687 684->683 686->687
                                                                                                                  APIs
                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08E8FA60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3559483778-0
                                                                                                                  • Opcode ID: c30544f84df4ed10280f970237ea6098d4e418220dc564c5b491bd7399cd53ab
                                                                                                                  • Instruction ID: 42a4432bb125d9e009bb7cf4e0fb7591554e1d4682b97f6a40406a2c757abad2
                                                                                                                  • Opcode Fuzzy Hash: c30544f84df4ed10280f970237ea6098d4e418220dc564c5b491bd7399cd53ab
                                                                                                                  • Instruction Fuzzy Hash: D32148B2900359DFCB10DFA9C881BEEBBF4FF48324F10842AE558A7250D7789944CBA4
                                                                                                                  Function 08E8F9D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 691 8e8f9d0-8e8fa1e 693 8e8fa2e-8e8fa6d WriteProcessMemory 691->693 694 8e8fa20-8e8fa2c 691->694 696 8e8fa6f-8e8fa75 693->696 697 8e8fa76-8e8faa6 693->697 694->693 696->697
                                                                                                                  APIs
                                                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08E8FA60
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessWrite
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3559483778-0
                                                                                                                  • Opcode ID: fc561067dad7a04ec1d317c2b06583bdc9fb7dd67797b122737033b5d76e0b06
                                                                                                                  • Instruction ID: 19542e7aac8efc5aede1bf04e182757923c96495f6684e0f5c87bed4b98daa8a
                                                                                                                  • Opcode Fuzzy Hash: fc561067dad7a04ec1d317c2b06583bdc9fb7dd67797b122737033b5d76e0b06
                                                                                                                  • Instruction Fuzzy Hash: F2212AB2900359DFCB10DFA9C885BDEBBF5FF48324F108429E558A7250D7789554CBA4
                                                                                                                  Function 08E8FAB9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08E8FB40
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1726664587-0
                                                                                                                  • Opcode ID: 4c7e4102536ca0441249261f612203bdb61d0ab0b72f186eee8cfa3e9791b63f
                                                                                                                  • Instruction ID: a889b95132bc35c413b0492941e88a2018f2e9b61bd6436725274b42260c302e
                                                                                                                  • Opcode Fuzzy Hash: 4c7e4102536ca0441249261f612203bdb61d0ab0b72f186eee8cfa3e9791b63f
                                                                                                                  • Instruction Fuzzy Hash: 0B2128B1C003599FCB10DFAAC881ADEFBF5FF48310F10842AE558A7250C7389944CBA4
                                                                                                                  Function 031DB3B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 701 31db3b0-31dda5c DuplicateHandle 704 31dda5e-31dda64 701->704 705 31dda65-31dda82 701->705 704->705
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031DD586,?,?,?,?,?), ref: 031DDA4F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722866572.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_31d0000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: 6914d2b1b6a4e64258333e473603a9229dc84796849d85ed32d63d7de2a7d4ec
                                                                                                                  • Instruction ID: 237d17174592ac00779b687b7379b9a2940ee89e3e0cb77af838d91c4d14ddc3
                                                                                                                  • Opcode Fuzzy Hash: 6914d2b1b6a4e64258333e473603a9229dc84796849d85ed32d63d7de2a7d4ec
                                                                                                                  • Instruction Fuzzy Hash: 1C21E3B5900248EFDB10CF9AD584AEEBBF8EB48310F14841AE918A7350D375A940CFA5
                                                                                                                  Function 08E8F3F9 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08E8F47E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 983334009-0
                                                                                                                  • Opcode ID: cb256ea9f975a96b506a37efb33570ca4f5ae5e053a6b46494b7d48fc33c14ff
                                                                                                                  • Instruction ID: 40fa48911a5fc1b5203eb7601a97031fdb72d035d2682e5505d039893b1f8a38
                                                                                                                  • Opcode Fuzzy Hash: cb256ea9f975a96b506a37efb33570ca4f5ae5e053a6b46494b7d48fc33c14ff
                                                                                                                  • Instruction Fuzzy Hash: 032137B29102099FDB10DFAAC4857EEBBF4EB48324F10842AD459A7241CB789985CFA4
                                                                                                                  Function 031DD9C1 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031DD586,?,?,?,?,?), ref: 031DDA4F
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722866572.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_31d0000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: DuplicateHandle
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 3793708945-0
                                                                                                                  • Opcode ID: c1b39e40784bfb42c324a69e3dd4e31cf5d7371a3eb9b7459faeda0d7c8e8146
                                                                                                                  • Instruction ID: 056159a5230dc268d8ebdc455e77b863656b36e0a2e0a0732545fcc7454f396d
                                                                                                                  • Opcode Fuzzy Hash: c1b39e40784bfb42c324a69e3dd4e31cf5d7371a3eb9b7459faeda0d7c8e8146
                                                                                                                  • Instruction Fuzzy Hash: 4721E3B5D00258AFDB10CF9AD584ADEBBF8EB48320F14841AE918A3310D375A940CFA5
                                                                                                                  Function 08E8FAC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08E8FB40
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MemoryProcessRead
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 1726664587-0
                                                                                                                  • Opcode ID: 7c1baab205c8faee2fdb33b584f06cc57cedd4568d5db53f859e398f2e3c751e
                                                                                                                  • Instruction ID: 18fa96d8ac61a9d5f13078460fb198df6da4d1ed525d212d28ace9ab10d124f6
                                                                                                                  • Opcode Fuzzy Hash: 7c1baab205c8faee2fdb33b584f06cc57cedd4568d5db53f859e398f2e3c751e
                                                                                                                  • Instruction Fuzzy Hash: 672125B1C002599FCB10DFAAC881AEEFBF5FF48320F10842AE558A7250C7389944CBA4
                                                                                                                  Function 08E8F400 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08E8F47E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ContextThreadWow64
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 983334009-0
                                                                                                                  • Opcode ID: 41dc2e803991ad0d791dba002ddf4cbcb4db3432256171334b786550ba9aaf71
                                                                                                                  • Instruction ID: 44a5fe65836ec851a61557b737b67f129dcf5820312e2aff0b9d5c23a9a27e0c
                                                                                                                  • Opcode Fuzzy Hash: 41dc2e803991ad0d791dba002ddf4cbcb4db3432256171334b786550ba9aaf71
                                                                                                                  • Instruction Fuzzy Hash: BE2118B19003099FDB10DFAAC4857EEBBF4EF48324F14842AD459A7251CB789945CFA5
                                                                                                                  Function 08E8F908 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08E8F97E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: ad177c7ee3c6f468f718741014166108d34ac559fe02f4043c2e205b5b532a60
                                                                                                                  • Instruction ID: a701041b26c4dca530561acf98e7f14f415194b590a652d29984f637a38bf6af
                                                                                                                  • Opcode Fuzzy Hash: ad177c7ee3c6f468f718741014166108d34ac559fe02f4043c2e205b5b532a60
                                                                                                                  • Instruction Fuzzy Hash: D71159B29002489FCB10DFA9C845BDEFBF5EF88324F108819E559A7250C7359554CFA0
                                                                                                                  Function 08E8F910 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08E8F97E
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: AllocVirtual
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4275171209-0
                                                                                                                  • Opcode ID: 2a0d8b5d73f06897a1ecfa39af1ffa4e86db8b3d9c5e33f0d628011402f87616
                                                                                                                  • Instruction ID: efaec49c98255fede5d697d766b940a5afb6f0c1a68a4eec3ac0e2ad98f4feca
                                                                                                                  • Opcode Fuzzy Hash: 2a0d8b5d73f06897a1ecfa39af1ffa4e86db8b3d9c5e33f0d628011402f87616
                                                                                                                  • Instruction Fuzzy Hash: A61126729002499FCB10DFAAC845ADEBBF5EB88324F108419E559A7250CB75A554CFA4
                                                                                                                  Function 08E8F348 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ResumeThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 947044025-0
                                                                                                                  • Opcode ID: a64a7394de62cddf8b7ae5df18fa2077884842ba3caf9b0c055df94ed11f571a
                                                                                                                  • Instruction ID: dfc3de3ca54ac45aa576ab61cbbea62c750d06d8678a58abdc42bb1adaeb10b8
                                                                                                                  • Opcode Fuzzy Hash: a64a7394de62cddf8b7ae5df18fa2077884842ba3caf9b0c055df94ed11f571a
                                                                                                                  • Instruction Fuzzy Hash: A71158B1D003488BCB20DFAAC4457DEFBF4AB88324F20842AC019A7250CA389544CFA4
                                                                                                                  Function 08E8F350 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1747127028.0000000008E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E80000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_8e80000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: ResumeThread
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 947044025-0
                                                                                                                  • Opcode ID: 2f94274f74c322819dda70d6d5c3d87ca46c3d743459e30806b4412d6d7ee294
                                                                                                                  • Instruction ID: 0f3de13ffeaf48fb9801e78db7688018c980d404665fcbf12967b67a40348b90
                                                                                                                  • Opcode Fuzzy Hash: 2f94274f74c322819dda70d6d5c3d87ca46c3d743459e30806b4412d6d7ee294
                                                                                                                  • Instruction Fuzzy Hash: B71136B1D003488FCB20DFAAC4457DEFBF4EB88324F20842AD459A7250CB79A944CFA4
                                                                                                                  Function 0773082C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07733875
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1746680682.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_7730000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePost
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 410705778-0
                                                                                                                  • Opcode ID: 405a66a69a8f3c063ff57be8bf238a209424e51c9a5677f9d34e5d4b7ced8a55
                                                                                                                  • Instruction ID: e96c76dfad7609965eb5106c974e58514f0c48a6f69c1f0daebb419f526b7fad
                                                                                                                  • Opcode Fuzzy Hash: 405a66a69a8f3c063ff57be8bf238a209424e51c9a5677f9d34e5d4b7ced8a55
                                                                                                                  • Instruction Fuzzy Hash: 251106B5800349DFDB20DF9AC445BDEBBF8EB48310F108829E554A7211D375A944CFA1
                                                                                                                  Function 031DB5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 031DB626
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722866572.00000000031D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031D0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_31d0000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: HandleModule
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 4139908857-0
                                                                                                                  • Opcode ID: f0d759997e1e192da3e280b65a53894f170de55cb31f43d6bb214dfb4865b5cb
                                                                                                                  • Instruction ID: 49684f835f52164ce9321b86eb8a8db45d21b83ea261ff8b0c2dbe808d401e18
                                                                                                                  • Opcode Fuzzy Hash: f0d759997e1e192da3e280b65a53894f170de55cb31f43d6bb214dfb4865b5cb
                                                                                                                  • Instruction Fuzzy Hash: BB110FB5C002498FCB10CF9AC444ADEFBF4AB89220F15842AD429B7210C375A545CFA5
                                                                                                                  Function 07733810 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07733875
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1746680682.0000000007730000.00000040.00000800.00020000.00000000.sdmp, Offset: 07730000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_7730000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: MessagePost
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 410705778-0
                                                                                                                  • Opcode ID: e5ad567eddfb71a67fd2539b5bc5e538e67bd61ad7ec21aefbdf97d96bb7fca1
                                                                                                                  • Instruction ID: 1fd1e2d9db16156b1207a6009a34ada18d6144c15f5f8a283fb8bf98cbd08611
                                                                                                                  • Opcode Fuzzy Hash: e5ad567eddfb71a67fd2539b5bc5e538e67bd61ad7ec21aefbdf97d96bb7fca1
                                                                                                                  • Instruction Fuzzy Hash: EC11D3B5800249DFDB20CF99D488BDEBBF4EB48364F10882AE568B7211C375A584CFA1
                                                                                                                  Function 01A2D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722232011.0000000001A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A2D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_1a2d000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a2041c280fb73b0a2a786ed2e30def30276266469154ed5cfc816f39d84522c2
                                                                                                                  • Instruction ID: eef11a8faa01b3bb0d4d8418aebf5ec00eefb8df7d77a471187cc2bf613620bb
                                                                                                                  • Opcode Fuzzy Hash: a2041c280fb73b0a2a786ed2e30def30276266469154ed5cfc816f39d84522c2
                                                                                                                  • Instruction Fuzzy Hash: 1921F271504240EFDB05DF6CDAC0B2ABFA5FB88318F24C669E9094B257C376D456CAA2
                                                                                                                  Function 01A2D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722232011.0000000001A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A2D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_1a2d000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c49452b93b073fd865d1a1a04a2c83fdbff3771852a7801b15b32b041e21af83
                                                                                                                  • Instruction ID: b5db2395dd5a8f3b073de8d761a93c465a0e51e81aa614c457064fbf0242be2b
                                                                                                                  • Opcode Fuzzy Hash: c49452b93b073fd865d1a1a04a2c83fdbff3771852a7801b15b32b041e21af83
                                                                                                                  • Instruction Fuzzy Hash: CC214571504200DFDB05DF4CC9C0B66BF65FB88324F24C169E9094F257C336E446CAA1
                                                                                                                  Function 01A3D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722307586.0000000001A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A3D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_1a3d000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1d74075fd70cb33a5a8e10ff27ec26e048588db9d05dfcf5e723bc607c547edb
                                                                                                                  • Instruction ID: 475285a7411efe55cfd207972458ab8c72f883995813e8668b848ee3416ecab1
                                                                                                                  • Opcode Fuzzy Hash: 1d74075fd70cb33a5a8e10ff27ec26e048588db9d05dfcf5e723bc607c547edb
                                                                                                                  • Instruction Fuzzy Hash: E2210471504200EFDB05DF98D9C0B26BBA5FBC4324F64C66DF9494B256C736D446CA61
                                                                                                                  Function 01A3D01C Relevance: .1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722307586.0000000001A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A3D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_1a3d000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: dc75a3cf33d049b20d0de3b420ad2918374635ef068b23cb98ce704abf940c43
                                                                                                                  • Instruction ID: dfc7cd6777b56b4107b1086d04d6e4bd09e6842f18fe998223a78c93dde7d2f3
                                                                                                                  • Opcode Fuzzy Hash: dc75a3cf33d049b20d0de3b420ad2918374635ef068b23cb98ce704abf940c43
                                                                                                                  • Instruction Fuzzy Hash: D4213070604200DFCB11DF68D980B26FFA5FB85B24F64C569E80A4B256C33AC806CA61
                                                                                                                  Function 01A2D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722232011.0000000001A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A2D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_1a2d000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction ID: facc9486bfc9b0d0bb1d71b5632d9ae58c40917509aceb8c247097d740d63b51
                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction Fuzzy Hash: 7A110372404280CFDB06CF58D5C4B16BF71FB84318F24C6A9D8090B257C336D45ACBA1
                                                                                                                  Function 01A2D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722232011.0000000001A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A2D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_1a2d000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction ID: 7a96785233893542646029474c4fc2763535f612db8ac657e1975ea9249fbd50
                                                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                                  • Instruction Fuzzy Hash: D511E172404280CFDB06CF48D9C4B56BF72FB94324F24C2A9D9090B257C33AE45ACBA1
                                                                                                                  Function 01A3D017 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722307586.0000000001A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A3D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_1a3d000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                  • Instruction ID: 2f69409b194401cf9f445e346401dd5dd443926aeef5dc13b787293491958b28
                                                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                  • Instruction Fuzzy Hash: 9D11D075504280CFDB12CF54D5C4B15FF61FB85724F24C6AAE84A4B656C33AD40ACB61
                                                                                                                  Function 01A3D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 00000007.00000002.1722307586.0000000001A3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01A3D000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_7_2_1a3d000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                  • Instruction ID: 6d0233a75c23bbf9b4b3663f138bf722ed667349116255effa7b243b59943876
                                                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                  • Instruction Fuzzy Hash: 8211BB75504280DFDB02CF94C5C4B15BFA1FB84224F24C6AAE8494B296C33AD40ACB61

                                                                                                                  Execution Graph

                                                                                                                  Execution Coverage:14.2%
                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                  Signature Coverage:12.3%
                                                                                                                  Total number of Nodes:57
                                                                                                                  Total number of Limit Nodes:10
                                                                                                                  execution_graph 21474 30b1398 21475 30b13af 21474->21475 21477 30b13b5 21474->21477 21475->21477 21479 30b1736 21475->21479 21480 30b0ab8 21475->21480 21478 30b0ab8 2 API calls 21478->21479 21479->21477 21479->21478 21481 30b0aca 21480->21481 21482 30b0acf 21480->21482 21481->21479 21482->21481 21483 30b0d18 LdrInitializeThunk 21482->21483 21486 30b0da9 21483->21486 21484 30b0e69 21484->21479 21485 30b11f9 LdrInitializeThunk 21485->21484 21486->21484 21486->21485 21487 12346d8 21490 12346e4 21487->21490 21488 1234713 21491 1239249 21490->21491 21492 1239264 21491->21492 21499 1239480 21492->21499 21506 123946f 21492->21506 21493 1239270 21513 30b5aca 21493->21513 21517 30b5ad8 21493->21517 21494 123929a 21494->21488 21500 12394a2 21499->21500 21501 123956e 21500->21501 21503 30b0ab8 2 API calls 21500->21503 21521 30b0cd8 21500->21521 21529 30b0aa8 21500->21529 21538 30b10bc 21500->21538 21501->21493 21503->21501 21507 12394a2 21506->21507 21508 123956e 21507->21508 21509 30b0aa8 4 API calls 21507->21509 21510 30b0ab8 2 API calls 21507->21510 21511 30b0cd8 4 API calls 21507->21511 21512 30b10bc 3 API calls 21507->21512 21508->21493 21509->21508 21510->21508 21511->21508 21512->21508 21514 30b5afa 21513->21514 21515 30b0cd8 4 API calls 21514->21515 21516 30b5c0c 21514->21516 21515->21516 21516->21494 21518 30b5afa 21517->21518 21519 30b0cd8 4 API calls 21518->21519 21520 30b5c0c 21518->21520 21519->21520 21520->21494 21522 30b0d09 LdrInitializeThunk 21521->21522 21527 30b0da9 21522->21527 21524 30b0e69 21524->21501 21526 30b10b4 LdrInitializeThunk 21526->21524 21527->21524 21527->21526 21528 30b0ab8 2 API calls 21527->21528 21528->21527 21530 30b0acf 21529->21530 21531 30b0aca 21529->21531 21530->21531 21532 30b0d18 LdrInitializeThunk 21530->21532 21531->21501 21537 30b0da9 21532->21537 21533 30b0e69 21533->21501 21534 30b10b4 LdrInitializeThunk 21534->21533 21536 30b0ab8 2 API calls 21536->21537 21537->21533 21537->21534 21537->21536 21543 30b0f73 21538->21543 21540 30b10b4 LdrInitializeThunk 21541 30b1211 21540->21541 21541->21501 21542 30b0ab8 2 API calls 21542->21543 21543->21540 21543->21542

                                                                                                                  Executed Functions

                                                                                                                  Function 0123C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: N
                                                                                                                  • API String ID: 0-1130791706
                                                                                                                  • Opcode ID: d64ab4bb251560ed0fc9cdd05d62f5552b3784cde070338f2816c6b66be9a97a
                                                                                                                  • Instruction ID: 8726050fbd0f0e518d3dbfb0cfce43adf82dfad1332137c5d4f436e6814f2eee
                                                                                                                  • Opcode Fuzzy Hash: d64ab4bb251560ed0fc9cdd05d62f5552b3784cde070338f2816c6b66be9a97a
                                                                                                                  • Instruction Fuzzy Hash: 2873F671C10B5A8EDB11EF68C854A99FBB1FF99300F51D69AE44877221EB70AAC4CF41
                                                                                                                  Function 030B0AB8 Relevance: 3.5, APIs: 2, Instructions: 530libraryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 2048 30b0ab8-30b0ac8 2049 30b0aca 2048->2049 2050 30b0acf-30b0adb 2048->2050 2051 30b0bfb-30b0c05 2049->2051 2053 30b0add 2050->2053 2054 30b0ae2-30b0af7 2050->2054 2053->2051 2057 30b0c0b-30b0c4b 2054->2057 2058 30b0afd-30b0b08 2054->2058 2073 30b0c52-30b0cc8 2057->2073 2061 30b0b0e-30b0b15 2058->2061 2062 30b0c06 2058->2062 2064 30b0b42-30b0b4d 2061->2064 2065 30b0b17-30b0b2e 2061->2065 2062->2057 2069 30b0b5a-30b0b64 2064->2069 2070 30b0b4f-30b0b57 2064->2070 2065->2073 2074 30b0b34-30b0b37 2065->2074 2077 30b0b6a-30b0b74 2069->2077 2078 30b0bee-30b0bf3 2069->2078 2070->2069 2106 30b0cca-30b0d07 2073->2106 2107 30b0d18-30b0da4 LdrInitializeThunk 2073->2107 2074->2062 2080 30b0b3d-30b0b40 2074->2080 2077->2062 2084 30b0b7a-30b0b96 2077->2084 2078->2051 2080->2064 2080->2065 2090 30b0b9a-30b0b9d 2084->2090 2091 30b0b98 2084->2091 2093 30b0b9f-30b0ba2 2090->2093 2094 30b0ba4-30b0ba7 2090->2094 2091->2051 2095 30b0baa-30b0bb8 2093->2095 2094->2095 2095->2062 2099 30b0bba-30b0bc1 2095->2099 2099->2051 2100 30b0bc3-30b0bc9 2099->2100 2100->2062 2101 30b0bcb-30b0bd0 2100->2101 2101->2062 2103 30b0bd2-30b0be5 2101->2103 2103->2062 2109 30b0be7-30b0bea 2103->2109 2110 30b0d09 2106->2110 2111 30b0d0e-30b0d15 2106->2111 2108 30b0e43-30b0e49 2107->2108 2112 30b0da9-30b0dbc 2108->2112 2113 30b0e4f-30b0e67 2108->2113 2109->2100 2114 30b0bec 2109->2114 2110->2111 2111->2107 2115 30b0dbe 2112->2115 2116 30b0dc3-30b0e14 2112->2116 2117 30b0e7b-30b0e8e 2113->2117 2118 30b0e69-30b0e76 2113->2118 2114->2051 2115->2116 2135 30b0e27-30b0e39 2116->2135 2136 30b0e16-30b0e24 2116->2136 2120 30b0e90 2117->2120 2121 30b0e95-30b0eb1 2117->2121 2119 30b1211-30b130f 2118->2119 2126 30b1311-30b1316 2119->2126 2127 30b1317-30b1321 2119->2127 2120->2121 2123 30b0eb8-30b0edc 2121->2123 2124 30b0eb3 2121->2124 2130 30b0ede 2123->2130 2131 30b0ee3-30b0f15 2123->2131 2124->2123 2126->2127 2130->2131 2140 30b0f1c-30b0f5e 2131->2140 2141 30b0f17 2131->2141 2137 30b0e3b 2135->2137 2138 30b0e40 2135->2138 2136->2113 2137->2138 2138->2108 2143 30b0f60 2140->2143 2144 30b0f65-30b0f6e 2140->2144 2141->2140 2143->2144 2145 30b1196-30b119c 2144->2145 2146 30b0f73-30b0f98 2145->2146 2147 30b11a2-30b11b5 2145->2147 2148 30b0f9a 2146->2148 2149 30b0f9f-30b0fd6 2146->2149 2150 30b11bc-30b11d7 2147->2150 2151 30b11b7 2147->2151 2148->2149 2159 30b0fd8 2149->2159 2160 30b0fdd-30b100f 2149->2160 2152 30b11d9 2150->2152 2153 30b11de-30b11f2 2150->2153 2151->2150 2152->2153 2157 30b11f9-30b120f LdrInitializeThunk 2153->2157 2158 30b11f4 2153->2158 2157->2119 2158->2157 2159->2160 2162 30b1073-30b1086 2160->2162 2163 30b1011-30b1036 2160->2163 2164 30b1088 2162->2164 2165 30b108d-30b10b2 2162->2165 2166 30b1038 2163->2166 2167 30b103d-30b106b 2163->2167 2164->2165 2170 30b10c1-30b10f9 2165->2170 2171 30b10b4-30b10b5 2165->2171 2166->2167 2167->2162 2172 30b10fb 2170->2172 2173 30b1100-30b1161 call 30b0ab8 2170->2173 2171->2147 2172->2173 2179 30b1168-30b118c 2173->2179 2180 30b1163 2173->2180 2183 30b118e 2179->2183 2184 30b1193 2179->2184 2180->2179 2183->2184 2184->2145
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2908415170.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_30b0000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 91b8c9e0de2c19d5d6eb860410d4b03c6f9301b897481a763a9ee3dd83dc661b
                                                                                                                  • Instruction ID: 9f14521c5ff49dc8e75c964664e69eae23859d1814a62941c92d45bc45ef7e5c
                                                                                                                  • Opcode Fuzzy Hash: 91b8c9e0de2c19d5d6eb860410d4b03c6f9301b897481a763a9ee3dd83dc661b
                                                                                                                  • Instruction Fuzzy Hash: E9223874E01219CFDB18DFA9C894BDEBBB2BF88304F1485A9D409AB395DB349985CF50
                                                                                                                  Function 012327B9 Relevance: 3.2, Strings: 2, Instructions: 691COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 2185 12327b9-12327e4 2186 12327e6-1232804 2185->2186 2187 1232805-1232858 2185->2187 2186->2187 2189 123287a-12328f0 2187->2189 2190 123285a-1232878 2187->2190 2191 1232912-1232918 2189->2191 2192 12328f2-1232910 2189->2192 2190->2189 2193 123291a-123292c 2191->2193 2194 123293c 2191->2194 2192->2191 2195 123294e-1232955 2193->2195 2196 123292e-1232934 2193->2196 2197 123295e-1232978 2194->2197 2198 123293e-123294d 2194->2198 2199 1232956-123295c 2195->2199 2196->2199 2202 1232936-123293a 2196->2202 2200 123299a-123299d 2197->2200 2201 123297a-123297c 2197->2201 2198->2195 2199->2197 2203 123299e-12329a1 2200->2203 2201->2203 2204 123297e-1232980 2201->2204 2202->2194 2205 12329a2-12329a4 2203->2205 2204->2205 2206 1232982-1232984 2204->2206 2207 12329a6-12329a8 2205->2207 2206->2207 2208 1232986-1232988 2206->2208 2209 12329aa-1232a54 2207->2209 2208->2209 2210 123298a-1232999 2208->2210 2212 1232a56-1232a77 2209->2212 2213 1232a79-1232b38 2209->2213 2210->2200 2212->2213 2214 1232b3a-1232b5b 2213->2214 2215 1232b5d-1232c50 2213->2215 2214->2215 2216 1232c52-1232c67 2215->2216 2217 1232c77-1232ca1 2215->2217 2216->2217 2220 1232ca3-1232ca5 2217->2220 2221 1232cb2-1232cba 2217->2221 2222 1232ca7-1232ca9 2220->2222 2223 1232cab-1232cb0 2220->2223 2224 1232cbc-1232cca 2221->2224 2222->2224 2223->2224 2227 1232ce0-1232ce8 2224->2227 2228 1232ccc-1232cce 2224->2228 2231 1232ceb-1232cee 2227->2231 2229 1232cd0-1232cd5 2228->2229 2230 1232cd7-1232cde 2228->2230 2229->2231 2230->2231 2233 1232cf0-1232cfe 2231->2233 2234 1232d05-1232d09 2231->2234 2233->2234 2242 1232d00 2233->2242 2235 1232d22-1232d25 2234->2235 2236 1232d0b-1232d19 2234->2236 2237 1232d27-1232d2b 2235->2237 2238 1232d2d-1232d62 2235->2238 2236->2235 2243 1232d1b 2236->2243 2237->2238 2241 1232d64-1232d7b 2237->2241 2247 1232dc4-1232dc9 2238->2247 2245 1232d81-1232d8d 2241->2245 2246 1232d7d-1232d7f 2241->2246 2242->2234 2243->2235 2248 1232d97-1232da1 2245->2248 2249 1232d8f-1232d95 2245->2249 2246->2247 2250 1232da9 2248->2250 2251 1232da3 2248->2251 2249->2250 2253 1232db1-1232dbd 2250->2253 2251->2250 2253->2247
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Xbq$Xbq
                                                                                                                  • API String ID: 0-1243427068
                                                                                                                  • Opcode ID: d20a3cce0ba76ff84836feee2370a02fa9c7acbb343a9bbea982d9f4c9581d83
                                                                                                                  • Instruction ID: 637700ebc624268ac3c668700cff221be33283d0773f3d343730ad60e40e697d
                                                                                                                  • Opcode Fuzzy Hash: d20a3cce0ba76ff84836feee2370a02fa9c7acbb343a9bbea982d9f4c9581d83
                                                                                                                  • Instruction Fuzzy Hash: DF42F3B3AA4A548FC716CB34D8D678437F2AF6B21836C54DDD0E18E065D36EA582CB07
                                                                                                                  Function 01232DD1 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 2374 1232dd1-1232ded 2375 1232df6-1232e06 2374->2375 2376 1232def-1232df1 2374->2376 2378 1232e08 2375->2378 2379 1232e0d-1232e1d 2375->2379 2377 1233094-123309b 2376->2377 2378->2377 2381 1232e23-1232e31 2379->2381 2382 123307b-1233089 2379->2382 2386 123309c-1233119 2381->2386 2387 1232e37 2381->2387 2385 123308b-123308f call 12302a8 2382->2385 2382->2386 2385->2377 2387->2386 2389 1232ea2-1232ec3 2387->2389 2390 1233001-123302d 2387->2390 2391 1232f67-1232f8f 2387->2391 2392 1232ec8-1232ee9 2387->2392 2393 123302f-123304a call 12302b8 2387->2393 2394 123306f-1233079 2387->2394 2395 1232eee-1232f0f 2387->2395 2396 123304c-123306d call 12318c8 2387->2396 2397 1232fd6-1232ffc 2387->2397 2398 1232e55-1232e76 2387->2398 2399 1232f14-1232f35 2387->2399 2400 1232f94-1232fd1 2387->2400 2401 1232e7b-1232e9d 2387->2401 2402 1232f3a-1232f62 2387->2402 2403 1232e3e-1232e50 2387->2403 2389->2377 2390->2377 2391->2377 2392->2377 2393->2377 2394->2377 2395->2377 2396->2377 2397->2377 2398->2377 2399->2377 2400->2377 2401->2377 2402->2377 2403->2377
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Xbq$$^q
                                                                                                                  • API String ID: 0-1593437937
                                                                                                                  • Opcode ID: 08e3f4238907d73c40bbb857c9b7bbb040c07c51147d47cf474d03f784a57cb3
                                                                                                                  • Instruction ID: 9e7a54a978a3b1cd20dbb7c24371d87a9580e374b7caf1e409ae9c7ea5808344
                                                                                                                  • Opcode Fuzzy Hash: 08e3f4238907d73c40bbb857c9b7bbb040c07c51147d47cf474d03f784a57cb3
                                                                                                                  • Instruction Fuzzy Hash: 7191A5B0B14258DBDB1CEB78885527EBBB3BFC8700B04892DE546E7399DE35C9428791
                                                                                                                  Function 030B0CD8 Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 2703 30b0cd8-30b0d07 2704 30b0d09 2703->2704 2705 30b0d0e-30b0da4 LdrInitializeThunk 2703->2705 2704->2705 2707 30b0e43-30b0e49 2705->2707 2708 30b0da9-30b0dbc 2707->2708 2709 30b0e4f-30b0e67 2707->2709 2710 30b0dbe 2708->2710 2711 30b0dc3-30b0e14 2708->2711 2712 30b0e7b-30b0e8e 2709->2712 2713 30b0e69-30b0e76 2709->2713 2710->2711 2730 30b0e27-30b0e39 2711->2730 2731 30b0e16-30b0e24 2711->2731 2715 30b0e90 2712->2715 2716 30b0e95-30b0eb1 2712->2716 2714 30b1211-30b130f 2713->2714 2721 30b1311-30b1316 2714->2721 2722 30b1317-30b1321 2714->2722 2715->2716 2718 30b0eb8-30b0edc 2716->2718 2719 30b0eb3 2716->2719 2725 30b0ede 2718->2725 2726 30b0ee3-30b0f15 2718->2726 2719->2718 2721->2722 2725->2726 2735 30b0f1c-30b0f5e 2726->2735 2736 30b0f17 2726->2736 2732 30b0e3b 2730->2732 2733 30b0e40 2730->2733 2731->2709 2732->2733 2733->2707 2738 30b0f60 2735->2738 2739 30b0f65-30b0f6e 2735->2739 2736->2735 2738->2739 2740 30b1196-30b119c 2739->2740 2741 30b0f73-30b0f98 2740->2741 2742 30b11a2-30b11b5 2740->2742 2743 30b0f9a 2741->2743 2744 30b0f9f-30b0fd6 2741->2744 2745 30b11bc-30b11d7 2742->2745 2746 30b11b7 2742->2746 2743->2744 2754 30b0fd8 2744->2754 2755 30b0fdd-30b100f 2744->2755 2747 30b11d9 2745->2747 2748 30b11de-30b11f2 2745->2748 2746->2745 2747->2748 2752 30b11f9-30b120f LdrInitializeThunk 2748->2752 2753 30b11f4 2748->2753 2752->2714 2753->2752 2754->2755 2757 30b1073-30b1086 2755->2757 2758 30b1011-30b1036 2755->2758 2759 30b1088 2757->2759 2760 30b108d-30b10b2 2757->2760 2761 30b1038 2758->2761 2762 30b103d-30b106b 2758->2762 2759->2760 2765 30b10c1-30b10f9 2760->2765 2766 30b10b4-30b10b5 2760->2766 2761->2762 2762->2757 2767 30b10fb 2765->2767 2768 30b1100-30b1161 call 30b0ab8 2765->2768 2766->2742 2767->2768 2774 30b1168-30b118c 2768->2774 2775 30b1163 2768->2775 2778 30b118e 2774->2778 2779 30b1193 2774->2779 2775->2774 2778->2779 2779->2740
                                                                                                                  APIs
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2908415170.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_30b0000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: e21d2c1c8222dbffc82d38627c18915676e8a41fcdea2c5cd183b6f29e02e574
                                                                                                                  • Instruction ID: 57cf4dc73525d04ea3f6359516ef98da51dda2a9c4ff3f33c8edaa2e78254a72
                                                                                                                  • Opcode Fuzzy Hash: e21d2c1c8222dbffc82d38627c18915676e8a41fcdea2c5cd183b6f29e02e574
                                                                                                                  • Instruction Fuzzy Hash: 6931E4B1D016189BEB18CFAAD8887DDFBF6BF88310F14C16AE418B72A4DB7449458F10
                                                                                                                  Function 01239480 Relevance: .3, Instructions: 268COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 6ce855ce6c5d9f23d831a2a67e70e4a35d2d39562d206f5081272627012e5d8a
                                                                                                                  • Instruction ID: 7bf1048a19405f0b35856bad7d3230ac643b04949afdd44bbd8926c06b0e6683
                                                                                                                  • Opcode Fuzzy Hash: 6ce855ce6c5d9f23d831a2a67e70e4a35d2d39562d206f5081272627012e5d8a
                                                                                                                  • Instruction Fuzzy Hash: A4C19074E01218CFDB14DFA9D994B9DBBB2FB89304F1081AAD809A7354DB399E85CF11
                                                                                                                  Function 0123C521 Relevance: .2, Instructions: 226COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 116fbf43ab2d72227d095994efbeef956d3a76551ec9a4d9f238fa0d68b4cdc8
                                                                                                                  • Instruction ID: 3e1f7f245662971ca1d004ea1d758c5bc55ec4f5aed09fc92809523111d8527c
                                                                                                                  • Opcode Fuzzy Hash: 116fbf43ab2d72227d095994efbeef956d3a76551ec9a4d9f238fa0d68b4cdc8
                                                                                                                  • Instruction Fuzzy Hash: 4BB13770D1161A8EDB10DFA9C8446DDFBB1FF89300F14C2AAE448BB261EB709A84CF41
                                                                                                                  Function 01239A30 Relevance: .2, Instructions: 226COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c60706ad16716682e0eb3201215135349f3c27f0f5e339343ee378f63f1c8f07
                                                                                                                  • Instruction ID: 17a3e0136c28764ed689e6e9e7814af1bc7451a2402c07a6af5c3dc518b076bf
                                                                                                                  • Opcode Fuzzy Hash: c60706ad16716682e0eb3201215135349f3c27f0f5e339343ee378f63f1c8f07
                                                                                                                  • Instruction Fuzzy Hash: BFA13570D00209CFEB14DFA9D894B9DBBB1FF89314F209269E508AB2A5DB745985CF50
                                                                                                                  Function 01239D87 Relevance: .2, Instructions: 202COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cf5b00567757cdb18d7a70162bb23b1f1c752359280de65a044e664aa1642c2e
                                                                                                                  • Instruction ID: f2955cb225021aa22e81c5746b9baa5dc4626ee3ebbbf395e055bb6b0b5bd85e
                                                                                                                  • Opcode Fuzzy Hash: cf5b00567757cdb18d7a70162bb23b1f1c752359280de65a044e664aa1642c2e
                                                                                                                  • Instruction Fuzzy Hash: 1E910570D00208CFEB14DFA8D9887DDBBB1FF89314F20925AE509AB295DBB49985CF14
                                                                                                                  Function 0123946F Relevance: .1, Instructions: 99COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 95c9d560534ab7110fc6b746d69de7e764b28aafd0d6bee68da2cca078d53f43
                                                                                                                  • Instruction ID: 9ab62ba284a5c8159d38ab83f3ebe557cf9f2ed1747b4159568b9cd9362a9753
                                                                                                                  • Opcode Fuzzy Hash: 95c9d560534ab7110fc6b746d69de7e764b28aafd0d6bee68da2cca078d53f43
                                                                                                                  • Instruction Fuzzy Hash: 0741F474D02208CFEB18CFAAD85469DBBB2BF89304F24C12AD815AB258EB745985CF50
                                                                                                                  Function 0123B500 Relevance: 6.7, Strings: 5, Instructions: 411COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 528 123b500-123b509 529 123b512-123b515 528->529 530 123b50b-123b510 528->530 532 123b517-123b51c 529->532 533 123b51e-123b521 529->533 531 123b54a-123b54d 530->531 532->531 534 123b523-123b528 533->534 535 123b52a-123b52d 533->535 534->531 536 123b536-123b539 535->536 537 123b52f-123b534 535->537 538 123b542-123b545 536->538 539 123b53b-123b540 536->539 537->531 540 123b547 538->540 541 123b54e-123b5be 538->541 539->531 540->531 548 123b5c3-123b5d2 call 123b4a8 541->548 551 123b5d4-123b5ef 548->551 552 123b61b-123b61e 548->552 551->552 565 123b5f1-123b5f5 551->565 553 123b620-123b626 552->553 554 123b634-123b640 552->554 553->548 556 123b628 553->556 559 123b642-123b663 554->559 560 123b667-123b668 554->560 557 123b62a-123b631 556->557 562 123b665 559->562 563 123b66f-123b675 559->563 560->563 564 123b66a-123b66d 560->564 562->560 567 123b677-123b67a 563->567 568 123b689-123b6bd call 123ab68 563->568 564->563 566 123b6c0-123b718 564->566 569 123b5f7-123b5fc 565->569 570 123b5fe-123b607 565->570 577 123b71f-123b79f 566->577 567->568 571 123b67c-123b67e 567->571 569->557 570->552 572 123b609-123b612 570->572 571->568 574 123b680-123b683 571->574 572->552 575 123b614-123b619 572->575 574->568 574->577 575->557 596 123b7a1-123b7a5 577->596 597 123b7bf-123b7dc 577->597 642 123b7a8 call 123b5a2 596->642 643 123b7a8 call 123b500 596->643 644 123b7a8 call 123b4f9 596->644 645 123b7a8 call 123b869 596->645 646 123b7a8 call 123b89d 596->646 602 123b804-123b811 597->602 603 123b7de-123b803 597->603 598 123b7ab-123b7bc 605 123b883-123b8d6 602->605 606 123b813-123b815 602->606 603->602 617 123b8e5-123b901 605->617 607 123b820-123b829 606->607 608 123b817-123b81e 606->608 610 123b834 607->610 611 123b82b-123b832 607->611 609 123b83b-123b844 608->609 614 123b84a-123b867 609->614 615 123b8d8-123b8df call 123b9ea 609->615 610->609 611->609 614->617 615->617 621 123b903-123b906 617->621 622 123b908-123b962 call 123ab78 617->622 621->622 623 123b96a-123b973 621->623 622->623 624 123b975-123b978 623->624 625 123b97a-123b9b0 623->625 624->625 627 123b9df-123b9e5 624->627 625->627 637 123b9b2-123b9d7 call 123ab88 625->637 637->627 642->598 643->598 644->598 645->598 646->598
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 8cq$Hbq$Hbq$Hbq$TJcq
                                                                                                                  • API String ID: 0-1895975235
                                                                                                                  • Opcode ID: 1b7fc5c26f11725d4e09e710247957cd8a221a4f85c3ff26fc3f576ee30f4d48
                                                                                                                  • Instruction ID: d390efd90304c1fb91318599d7d71629df7baaa913c7adb8a3d29c5b944e03b8
                                                                                                                  • Opcode Fuzzy Hash: 1b7fc5c26f11725d4e09e710247957cd8a221a4f85c3ff26fc3f576ee30f4d48
                                                                                                                  • Instruction Fuzzy Hash: 88E1C271B142058FCB15DF6CC890AAE7BB6EFC9320F184469D645EB3A6CA35DC42CB51
                                                                                                                  Function 01233F78 Relevance: 6.4, Strings: 5, Instructions: 125COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 648 1233f78-1233fa2 649 1233fa4 648->649 650 1233fa9-1234022 call 1233168 648->650 649->650 656 1234028-1234061 650->656 659 12340af-12340c6 656->659 661 1234063-1234073 659->661 662 12340c8-12340ed 659->662 666 1234075-123407e 661->666 667 1234094 661->667 668 1234105 662->668 669 12340ef-1234104 662->669 670 1234080-1234083 666->670 671 1234085-1234088 666->671 672 1234097-12340ae 667->672 669->668 673 1234092 670->673 671->673 672->659 673->672
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 0oAp$LjAp$LjAp$PH^q$PH^q
                                                                                                                  • API String ID: 0-1487592376
                                                                                                                  • Opcode ID: 1f0f264016c94e67a35b5b645e884d9eb722bb991f099664ff828d7dbb92b7bb
                                                                                                                  • Instruction ID: 24656a318a03a3bd912ef901f820cd61f8573f4fa0884bd4e0db457bb9654fc8
                                                                                                                  • Opcode Fuzzy Hash: 1f0f264016c94e67a35b5b645e884d9eb722bb991f099664ff828d7dbb92b7bb
                                                                                                                  • Instruction Fuzzy Hash: A951D2B4E102489FCB48DFA9D584A9DFBF2BF89300F108469E815AB324DB349946CF00
                                                                                                                  Function 012319B8 Relevance: 5.3, Strings: 4, Instructions: 322COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 677 12319b8-1231a13 681 1231a35-1231a84 677->681 682 1231a15-1231a34 677->682 686 1231a86-1231a8d 681->686 687 1231a9f 681->687 688 1231a96-1231a9d 686->688 689 1231a8f-1231a94 686->689 691 1231aa7 687->691 690 1231aaa-1231abe 688->690 689->690 693 1231ac0-1231ac7 690->693 694 1231ad4-1231adc 690->694 691->690 695 1231ac9-1231acb 693->695 696 1231acd-1231ad2 693->696 697 1231ade-1231ae2 694->697 695->697 696->697 699 1231b42-1231b45 697->699 700 1231ae4-1231af9 697->700 701 1231b47-1231b5c 699->701 702 1231b8d-1231b93 699->702 700->699 707 1231afb-1231afe 700->707 701->702 709 1231b5e-1231b62 701->709 704 1231b99-1231b9b 702->704 705 123268e 702->705 704->705 708 1231ba1-1231ba6 704->708 712 1232693-12326dc 705->712 710 1231b00-1231b02 707->710 711 1231b1d-1231b3b call 12302a8 707->711 713 123263c-1232640 708->713 714 1231bac 708->714 715 1231b64-1231b68 709->715 716 1231b6a-1231b88 call 12302a8 709->716 710->711 717 1231b04-1231b07 710->717 711->699 732 12326fa-12327b6 712->732 733 12326de-12326f9 712->733 719 1232642-1232645 713->719 720 1232647-123268d 713->720 714->713 715->702 715->716 716->702 717->699 722 1231b09-1231b1b 717->722 719->712 719->720 722->699 722->711 733->732
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                  • API String ID: 0-2732225958
                                                                                                                  • Opcode ID: 0d18b464adefc2b8b120e53afa9bdd06b10e0f9e08109c93b32ca5b9d217722d
                                                                                                                  • Instruction ID: 2d53c9fde22e76bec780c539d45d29e0bdf83ba53fb4966a9f7f414b33f13568
                                                                                                                  • Opcode Fuzzy Hash: 0d18b464adefc2b8b120e53afa9bdd06b10e0f9e08109c93b32ca5b9d217722d
                                                                                                                  • Instruction Fuzzy Hash: BFC190B3E606198FCB18CF78D881799B7B3FFA9304F6840ADD1549B164D7359A82CB42
                                                                                                                  Function 0123AD3D Relevance: 4.3, Strings: 3, Instructions: 506COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 1528 123ad3d-123afaf call 123a428 1533 123afb5-123afb7 1528->1533 1534 123b18b-123b196 1528->1534 1535 123b19d-123b1a8 1533->1535 1536 123afbd-123afc1 1533->1536 1534->1535 1541 123b1af-123b1ba 1535->1541 1536->1535 1538 123afc7-123afff call 123ab68 1536->1538 1538->1541 1551 123b005-123b009 1538->1551 1546 123b1c1-123b1cc 1541->1546 1550 123b1d3-123b1ff 1546->1550 1585 123b206-123b232 1550->1585 1552 123b015-123b019 1551->1552 1553 123b00b-123b00f 1551->1553 1555 123b024-123b028 1552->1555 1556 123b01b-123b022 1552->1556 1553->1546 1553->1552 1557 123b040-123b044 1555->1557 1558 123b02a-123b02e 1555->1558 1556->1557 1559 123b046-123b048 1557->1559 1560 123b04b-123b052 1557->1560 1562 123b030-123b037 1558->1562 1563 123b039 1558->1563 1559->1560 1564 123b054 1560->1564 1565 123b05b-123b05f 1560->1565 1562->1557 1563->1557 1564->1565 1566 123b110-123b113 1564->1566 1567 123b179-123b184 1564->1567 1568 123b0ae-123b0b1 1564->1568 1569 123b0dd-123b0e0 1564->1569 1570 123b065-123b069 1565->1570 1571 123b13e-123b141 1565->1571 1580 123b115 1566->1580 1581 123b11a-123b139 1566->1581 1567->1534 1573 123b0b3-123b0b6 1568->1573 1574 123b0bc-123b0db 1568->1574 1578 123b0e2-123b0e5 1569->1578 1579 123b0eb-123b10e 1569->1579 1570->1567 1575 123b06f-123b072 1570->1575 1576 123b143-123b146 1571->1576 1577 123b151-123b174 1571->1577 1573->1550 1573->1574 1600 123b097-123b09b 1574->1600 1582 123b074 1575->1582 1583 123b079-123b095 1575->1583 1576->1577 1584 123b148-123b14b 1576->1584 1577->1600 1578->1579 1578->1585 1579->1600 1580->1581 1581->1600 1582->1583 1583->1600 1584->1577 1590 123b239-123b27a 1584->1590 1585->1590 1610 123b09e call 123b5a2 1600->1610 1611 123b09e call 123b500 1600->1611 1612 123b09e call 123b4f9 1600->1612 1605 123b0a4-123b0ab 1610->1605 1611->1605 1612->1605
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Hbq$Hbq$Hbq
                                                                                                                  • API String ID: 0-2297679979
                                                                                                                  • Opcode ID: ee4bdce16c1af61e6bd3f70eba99d6f70759fb7b9dd6112b2319d7ecfcf64d9d
                                                                                                                  • Instruction ID: ee2fb254a0c765c4e14b6e3b3d139ea0ea531e63ddffcc61de1a0c0ce89ab38c
                                                                                                                  • Opcode Fuzzy Hash: ee4bdce16c1af61e6bd3f70eba99d6f70759fb7b9dd6112b2319d7ecfcf64d9d
                                                                                                                  • Instruction Fuzzy Hash: 0781C370B102059FDF25AF78985826E7BA2FFC5360F24462AE6668B3D1DF358D01C751
                                                                                                                  Function 0123B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 2641 123b869 2642 123b870-123b901 2641->2642 2651 123b903-123b906 2642->2651 2652 123b908-123b962 call 123ab78 2642->2652 2651->2652 2653 123b96a-123b973 2651->2653 2652->2653 2654 123b975-123b978 2653->2654 2655 123b97a-123b9b0 2653->2655 2654->2655 2657 123b9df-123b9e5 2654->2657 2655->2657 2667 123b9b2-123b9d7 call 123ab88 2655->2667 2667->2657
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 8cq$TJcq
                                                                                                                  • API String ID: 0-1920894394
                                                                                                                  • Opcode ID: 12c4243078badda1d842124301d3343c291ac8af9b0d174c87b60589e4493414
                                                                                                                  • Instruction ID: 6e416c7ba06bfdcbdfea689c870872c6461f99599c15738e72d9d12c15164c6c
                                                                                                                  • Opcode Fuzzy Hash: 12c4243078badda1d842124301d3343c291ac8af9b0d174c87b60589e4493414
                                                                                                                  • Instruction Fuzzy Hash: 67311575B501098FCB05EFA8C590E9DBBB2FF88320F155494E505AB365CA71EC858B91
                                                                                                                  Function 0123B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                                                  Download Yara Rule

                                                                                                                  Control-flow Graph

                                                                                                                  • Executed
                                                                                                                  • Not Executed
                                                                                                                  control_flow_graph 2672 123b89d 2673 123b8a4-123b901 2672->2673 2682 123b903-123b906 2673->2682 2683 123b908-123b962 call 123ab78 2673->2683 2682->2683 2684 123b96a-123b973 2682->2684 2683->2684 2685 123b975-123b978 2684->2685 2686 123b97a-123b9b0 2684->2686 2685->2686 2688 123b9df-123b9e5 2685->2688 2686->2688 2698 123b9b2-123b9d7 call 123ab88 2686->2698 2698->2688
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: 8cq$TJcq
                                                                                                                  • API String ID: 0-1920894394
                                                                                                                  • Opcode ID: abbed1a3bd748c019ed209b5be5295671cfdd31a399015d620a38e815439ab4d
                                                                                                                  • Instruction ID: 2d84f4b9a822f59b440f21291adddde5748febe9f542b40296bcc01d1652f5eb
                                                                                                                  • Opcode Fuzzy Hash: abbed1a3bd748c019ed209b5be5295671cfdd31a399015d620a38e815439ab4d
                                                                                                                  • Instruction Fuzzy Hash: F9313675B501098FCB05EFA8C580E9DBBB2EF88320F154494E505AB3A5CA71EC858B90
                                                                                                                  Function 030B10BC Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                                                  Download Yara Rule
                                                                                                                  APIs
                                                                                                                  • LdrInitializeThunk.NTDLL(00000000), ref: 030B11FE
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2908415170.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_30b0000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID: InitializeThunk
                                                                                                                  • String ID:
                                                                                                                  • API String ID: 2994545307-0
                                                                                                                  • Opcode ID: 1bb47d3f1931ba766de31b2f34878d6975af90bd897b78fde9c4ce5b03806637
                                                                                                                  • Instruction ID: 5bd6e2d39cba79c32458ec62b5f66fe8e40498da9a123a6fc963f6c1a31bf193
                                                                                                                  • Opcode Fuzzy Hash: 1bb47d3f1931ba766de31b2f34878d6975af90bd897b78fde9c4ce5b03806637
                                                                                                                  • Instruction Fuzzy Hash: F6113A74E021099FDB08DFACD894AEDBBB9FB88304F148565E904E7355EB30AD41CB64
                                                                                                                  Function 01230B20 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: LR^q
                                                                                                                  • API String ID: 0-2625958711
                                                                                                                  • Opcode ID: f7ec88d6c5f925f5967454e5a913d468b0a756c1dcbac8591a8bd7cb49875969
                                                                                                                  • Instruction ID: b82f4a4566539ccdd652c6d1aed3cb4ef948ed15fa647c7fac430724b7b1b096
                                                                                                                  • Opcode Fuzzy Hash: f7ec88d6c5f925f5967454e5a913d468b0a756c1dcbac8591a8bd7cb49875969
                                                                                                                  • Instruction Fuzzy Hash: 8DA1DA74A0120ACFCB05EFA8E98499DBBB2FB44305F104579E815AB369DB386D49CF91
                                                                                                                  Function 01230B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: LR^q
                                                                                                                  • API String ID: 0-2625958711
                                                                                                                  • Opcode ID: 5ef9fc74f7c0b36a43cf96a5d11efbe9b4cb9f11fa9ac36628e5569ab2e569b7
                                                                                                                  • Instruction ID: 762f5dc4cdec661316702a311c710b3589e5fb0fecaa125d204b065fdb399858
                                                                                                                  • Opcode Fuzzy Hash: 5ef9fc74f7c0b36a43cf96a5d11efbe9b4cb9f11fa9ac36628e5569ab2e569b7
                                                                                                                  • Instruction Fuzzy Hash: 51A1CC74A0120ACFCB05EFA8E98499DBBB2FB44305F104579E815BB369DB386D49CF91
                                                                                                                  Function 0123BC98 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Hbq
                                                                                                                  • API String ID: 0-1245868
                                                                                                                  • Opcode ID: 5ca1e52dfbc66d42373be62c1b80e7ac4bf5bad6a35216aa7cb343d572300508
                                                                                                                  • Instruction ID: c09202d46901f0f0d0211f5c98d7c6444fe042ecda5216c07fe3abd543b3fde3
                                                                                                                  • Opcode Fuzzy Hash: 5ca1e52dfbc66d42373be62c1b80e7ac4bf5bad6a35216aa7cb343d572300508
                                                                                                                  • Instruction Fuzzy Hash: 1231DF71A002099FCB09EFB8C854ABE7FF6EFC9200B1444B9E609DB351DE309902CB91
                                                                                                                  Function 0123BDD9 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Hbq
                                                                                                                  • API String ID: 0-1245868
                                                                                                                  • Opcode ID: 6ad51010d5969b2fae52091da1083873ddfdeb664364c399e27dd3eba4c3b8e1
                                                                                                                  • Instruction ID: 6a37d81a290b8a2f6e4748ae7222c60c65d9cf2d6e8b71e97c2a5bffaf4db0a6
                                                                                                                  • Opcode Fuzzy Hash: 6ad51010d5969b2fae52091da1083873ddfdeb664364c399e27dd3eba4c3b8e1
                                                                                                                  • Instruction Fuzzy Hash: 3131BF306042859FCB0AEF7DC8A0A6E7F72FFDA300B2481AAD5458B3A6CA319D15C751
                                                                                                                  Function 0123BF6F Relevance: .2, Instructions: 209COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 41af11d8818cb20146cd98dd92fa6e8c6c48aeef0a4bde005c14041ad03fd43b
                                                                                                                  • Instruction ID: cb40dc87b8e68d01b97c294da6240b0b6b80cc9b458e865f8bb816329092b54d
                                                                                                                  • Opcode Fuzzy Hash: 41af11d8818cb20146cd98dd92fa6e8c6c48aeef0a4bde005c14041ad03fd43b
                                                                                                                  • Instruction Fuzzy Hash: 6661FFB2A142069FCB149B7CD844A6AFBF9EBCA320B14853AE659D7250D631D8118BA0
                                                                                                                  Function 01233168 Relevance: .1, Instructions: 109COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c96dd4601e223f8301ce9adbee737c499943e878cb408dd8c0d470b80d838340
                                                                                                                  • Instruction ID: 3414e9234b1fe5ef16b620d3396d0dee7a43ce7127384ea47859c12d50bf5007
                                                                                                                  • Opcode Fuzzy Hash: c96dd4601e223f8301ce9adbee737c499943e878cb408dd8c0d470b80d838340
                                                                                                                  • Instruction Fuzzy Hash: D441AFB4E01209DFDB08DFAAD88499DBBF2BF89300F249029E805BB364DB349945CF54
                                                                                                                  Function 01239249 Relevance: .1, Instructions: 107COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0552ef4498066a8e7e58c85cbfc3e8a651a622d80f76fcf61d0e90a04f55d09e
                                                                                                                  • Instruction ID: b274ca9fe5776ae1b29d1fef7a03b76bb8e6960643c8618e49bb0bd482a5c256
                                                                                                                  • Opcode Fuzzy Hash: 0552ef4498066a8e7e58c85cbfc3e8a651a622d80f76fcf61d0e90a04f55d09e
                                                                                                                  • Instruction Fuzzy Hash: 3331B73003724A8FC6013B61B5EC27BBFA9FB4F7337086C8AE15A855598B784489CB61
                                                                                                                  Function 012318C8 Relevance: .1, Instructions: 77COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3d18bbe4aafd4920145abea2504d2098c02547e80be5780361677f80d2b38e39
                                                                                                                  • Instruction ID: 9da72ef3680f5716d7a70328be41fcf6d7935a93e891f69e7a5f00795a12401b
                                                                                                                  • Opcode Fuzzy Hash: 3d18bbe4aafd4920145abea2504d2098c02547e80be5780361677f80d2b38e39
                                                                                                                  • Instruction Fuzzy Hash: ED21A1B5A101069FCB14DF38C4409AE37A5EFC9664B10C05DD94E9B340EA39EE46CBD2
                                                                                                                  Function 011ED030 Relevance: .1, Instructions: 72COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905187051.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_11ed000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f75e0f9f83db221c917d0a77dc838b545fb3a2f5cdb21e460a9e80fbe13d17b0
                                                                                                                  • Instruction ID: eb2d5b942693a02fd1dd51f78c88dcd38458fcb6f904574b8c3d11b6e17d0ab4
                                                                                                                  • Opcode Fuzzy Hash: f75e0f9f83db221c917d0a77dc838b545fb3a2f5cdb21e460a9e80fbe13d17b0
                                                                                                                  • Instruction Fuzzy Hash: 07212571504600DFCF19DF98E988B26BFA5EB84314F28C56DD80A4B296C336D446CA62
                                                                                                                  Function 01230EC8 Relevance: .1, Instructions: 70COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: f64707b5dce5202fad3b1beece30213f04e92e12c99d6897c6168351232c3b0e
                                                                                                                  • Instruction ID: 8cfb70703ecd90ea89285680df2709ec6b3d58cc79ceb075c06441b6c482c66f
                                                                                                                  • Opcode Fuzzy Hash: f64707b5dce5202fad3b1beece30213f04e92e12c99d6897c6168351232c3b0e
                                                                                                                  • Instruction Fuzzy Hash: 622171B0E11209DFDB49EFB9D4046AEBBB2FF89304F10C4A99815AB754CB788945CF51
                                                                                                                  Function 011ED006 Relevance: .1, Instructions: 68COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905187051.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_11ed000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 1b3d38e35ca1d03159603773a749e100c6334327aa034827fc7aafc63e33f397
                                                                                                                  • Instruction ID: 93373f0be0a701855789082837f9e92ed53216b04654b177eac51d0bcbe8885a
                                                                                                                  • Opcode Fuzzy Hash: 1b3d38e35ca1d03159603773a749e100c6334327aa034827fc7aafc63e33f397
                                                                                                                  • Instruction Fuzzy Hash: D6218D315093C08FCB07CF64D894715BF71AB46214F28C1EBD8898F2A3C33A980ACB62
                                                                                                                  Function 0123BB37 Relevance: .1, Instructions: 67COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 3d35171999be55c9e255d88d75e62db3b2ab123a79cc39928b8797091e6db024
                                                                                                                  • Instruction ID: 8fae31131544e5f7f88cdaec4f98b02a68ce15a18c683833b12ec79655abafb2
                                                                                                                  • Opcode Fuzzy Hash: 3d35171999be55c9e255d88d75e62db3b2ab123a79cc39928b8797091e6db024
                                                                                                                  • Instruction Fuzzy Hash: A9219A72750201CFD729DF29D988A66B7F2FFC9321B1480AAE649CB325DB71E845CB10
                                                                                                                  Function 012317B8 Relevance: .1, Instructions: 62COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 83a16233de3a2108340ea3e59610867de4e35053dbca36e48228a4a3758270b1
                                                                                                                  • Instruction ID: 2d56a94c7880cb19a817faf3b7d5d637445a3ea6ab8f4a9758f4aae939fbc4c6
                                                                                                                  • Opcode Fuzzy Hash: 83a16233de3a2108340ea3e59610867de4e35053dbca36e48228a4a3758270b1
                                                                                                                  • Instruction Fuzzy Hash: EF212870D1530A8FCB45DFA8D8445EEBFF1EF4A314F0451AAD405B7225E7304A99CBA1
                                                                                                                  Function 0123C108 Relevance: .1, Instructions: 57COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: d1f819f76849ce492ddd300ec0ff8e7314e76012e0bad377c1e060e3a87dd7fa
                                                                                                                  • Instruction ID: f195542ff8c2284605b76c9fdf2e637d2d0631536556da3846d4f5a41b505fb0
                                                                                                                  • Opcode Fuzzy Hash: d1f819f76849ce492ddd300ec0ff8e7314e76012e0bad377c1e060e3a87dd7fa
                                                                                                                  • Instruction Fuzzy Hash: 0411A0B6E1020A8BCB14EFBC84405AEBFF5AFC8210B04453AD549F7200DB319C5187E1
                                                                                                                  Function 01234850 Relevance: .1, Instructions: 53COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a10f9fc9830bb9f6519a4a3f5fa1e8345b510afaab61f2a9898be7332fc06412
                                                                                                                  • Instruction ID: 1d6e6cb55ead703bf9999fa4e6b0ec30fbc1fe804a12afd9eaaaa81243f556ac
                                                                                                                  • Opcode Fuzzy Hash: a10f9fc9830bb9f6519a4a3f5fa1e8345b510afaab61f2a9898be7332fc06412
                                                                                                                  • Instruction Fuzzy Hash: B201D876B002421FE7256BB98C5866F7BEBAFC52547158479C909C7355FF70CC018792
                                                                                                                  Function 0123BEE9 Relevance: .1, Instructions: 51COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: c3f0451da3ba488dc82642474abc25f2aa7fb97160074711ebc561170f103470
                                                                                                                  • Instruction ID: 1fec6175513b9a4b5866c4c8d59dc31dacbf805a87bd6f2c053fc08392810cce
                                                                                                                  • Opcode Fuzzy Hash: c3f0451da3ba488dc82642474abc25f2aa7fb97160074711ebc561170f103470
                                                                                                                  • Instruction Fuzzy Hash: 680122316052408FCB26EF78D8998A93FB2FFCA310718459AE146CB256CA359802DB40
                                                                                                                  Function 01232C6C Relevance: .0, Instructions: 50COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: fceaba9a5b7cd827c4828481769463ed1b7f2a95d84343eaff1b57d4201b1725
                                                                                                                  • Instruction ID: 31f533481f9c452e1787c142c9a568d198c8af284de4bfef838758df13851837
                                                                                                                  • Opcode Fuzzy Hash: fceaba9a5b7cd827c4828481769463ed1b7f2a95d84343eaff1b57d4201b1725
                                                                                                                  • Instruction Fuzzy Hash: 1001F77072031EC7EB2C4A6D88882BAA69AFBC0610F14843ED60186285CFB5CC458791
                                                                                                                  Function 01234860 Relevance: .0, Instructions: 49COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 71862f78d459f1f535cb6c4cc3490297aef1ce8e0183c1335b8cc93434aa4a27
                                                                                                                  • Instruction ID: 6c930bca9c7e2e52931f48ed81044ec12e94fc014ba67d6c0a09be3b1f4dc59f
                                                                                                                  • Opcode Fuzzy Hash: 71862f78d459f1f535cb6c4cc3490297aef1ce8e0183c1335b8cc93434aa4a27
                                                                                                                  • Instruction Fuzzy Hash: F4016276B002565FD725AB798C4862F76EBAFC45643148879DA09C7359FE70CC018791
                                                                                                                  Function 0123A508 Relevance: .0, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 0458e7d9217a5d24c0d4359e3e66884387c2b09a7ac67291dd8feb52e7e0792f
                                                                                                                  • Instruction ID: f88f79fca37e578a44538d11585f9183c215afc6d4f381987e037d30b5379788
                                                                                                                  • Opcode Fuzzy Hash: 0458e7d9217a5d24c0d4359e3e66884387c2b09a7ac67291dd8feb52e7e0792f
                                                                                                                  • Instruction Fuzzy Hash: 33017575E012199FCF14EF69E8445AE7BB9FF88350B00443AEA5AD3241DB348D10CBA1
                                                                                                                  Function 0123BB48 Relevance: .0, Instructions: 46COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 759c6550f0f3e72edd2a89c285babd8d6c4886805977fed8dc4d35f29046489a
                                                                                                                  • Instruction ID: 3b0998c646a745c13c5d0e4f8587667234a4cb3aafd7fec84a2684b9c19225e3
                                                                                                                  • Opcode Fuzzy Hash: 759c6550f0f3e72edd2a89c285babd8d6c4886805977fed8dc4d35f29046489a
                                                                                                                  • Instruction Fuzzy Hash: E5015AB17102018FD729DF2AD988B16B7E6FFC9721F108469E64A8B365DEB1EC04CB50
                                                                                                                  Function 0123A4F9 Relevance: .0, Instructions: 44COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 72b96203516749a7db26dc646130e0c68d3502804b71b3bd661f8de54ef5523c
                                                                                                                  • Instruction ID: a685f17be70f49675f6ec39a4dc157c54ff5a87395c6302cb5857477504252b6
                                                                                                                  • Opcode Fuzzy Hash: 72b96203516749a7db26dc646130e0c68d3502804b71b3bd661f8de54ef5523c
                                                                                                                  • Instruction Fuzzy Hash: 5B015E71E0015A9FCF15DFA8A854AAE7FB5FF89310B00403AEA99D3245D7344911DBA2
                                                                                                                  Function 0123C1A0 Relevance: .0, Instructions: 43COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 746dbc132ffae63f709b1957aea6d3f606d868b79f7317eb3ad2bffb321f94fb
                                                                                                                  • Instruction ID: 289e5f657cf114f49a63ce80572f6dd05028c7cc6976dbc53e06f8c027f30553
                                                                                                                  • Opcode Fuzzy Hash: 746dbc132ffae63f709b1957aea6d3f606d868b79f7317eb3ad2bffb321f94fb
                                                                                                                  • Instruction Fuzzy Hash: 3AF0F6727042125FCB165B7DA81456E7FA9DFC622070800A7E548DB261CE31DC029760
                                                                                                                  Function 0123B9EA Relevance: .0, Instructions: 37COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 09f1589015278d6dcc721d19b4853e07dd769fdad4dcb77fd98f096d33bbae15
                                                                                                                  • Instruction ID: fe28dc195fdd47a73f2f8c6ba900ab15702de9c4d3e6ed4d87973517bed33ea9
                                                                                                                  • Opcode Fuzzy Hash: 09f1589015278d6dcc721d19b4853e07dd769fdad4dcb77fd98f096d33bbae15
                                                                                                                  • Instruction Fuzzy Hash: 66F0AF71904208AF8B21DFB9C880AAEBFF6FF893507044266E545D7215E670A912CBD1
                                                                                                                  Function 012346C9 Relevance: .0, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: edad9b73c60a0f7ed8a6cba92d8534cc075445886a6097107c7ee12693136028
                                                                                                                  • Instruction ID: 9581b71b2c465241aeae1c1ab494347a56c46c115ad2aa4ddd6330733d51047d
                                                                                                                  • Opcode Fuzzy Hash: edad9b73c60a0f7ed8a6cba92d8534cc075445886a6097107c7ee12693136028
                                                                                                                  • Instruction Fuzzy Hash: CEF0FE384653428FD3B91BF0B86C16A3FF2EF0B3177056D61E41AD9015CB640485CF10
                                                                                                                  Function 0123BE98 Relevance: .0, Instructions: 33COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: cc91497f2101db2493b7009a3753b78c10b04226ab4a2907d1fe070f5544d06e
                                                                                                                  • Instruction ID: d4a8d26fdc1a9e778c4a86e92e49b94cd5bb7ed315c8937fad8b6a18ecc8f08c
                                                                                                                  • Opcode Fuzzy Hash: cc91497f2101db2493b7009a3753b78c10b04226ab4a2907d1fe070f5544d06e
                                                                                                                  • Instruction Fuzzy Hash: 70F03A35340105DFC701DF69D484D6ABBEAFF887217544069EA0987331CB719C11CB90
                                                                                                                  Function 012346D8 Relevance: .0, Instructions: 25COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 5c125daeb31aa64c86b10e18a6bf470b9c59eca847fdb51f34ea5ce1a98e5b5b
                                                                                                                  • Instruction ID: 4782fa898c5a12cb1bd83a01aa4d8e385686f7f74f4f0a21a59ae12614ed18b8
                                                                                                                  • Opcode Fuzzy Hash: 5c125daeb31aa64c86b10e18a6bf470b9c59eca847fdb51f34ea5ce1a98e5b5b
                                                                                                                  • Instruction Fuzzy Hash: 17E0FE784213078BD6AC2BE4B5AC23A7AA6EF0B31BB446D20A12AD94199F7044D48F55
                                                                                                                  Function 01231877 Relevance: .0, Instructions: 24COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: b130dc126fdb4c128f88949320f647afce94a199f2fb95f286e21137c3fb9813
                                                                                                                  • Instruction ID: 645005b49084225711b4ad0040924dff47a0fb414e8f4a11dde6c4e80ae18f2e
                                                                                                                  • Opcode Fuzzy Hash: b130dc126fdb4c128f88949320f647afce94a199f2fb95f286e21137c3fb9813
                                                                                                                  • Instruction Fuzzy Hash: 39E0D835D513178BC7019FB0DD000DD7334AD82221B148253C06936551EB70165EC6A2
                                                                                                                  Function 01231888 Relevance: .0, Instructions: 19COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 9da4653c5a2150fed3087e5a397a37839e3c67deabd9876b143c34ca2204b107
                                                                                                                  • Instruction ID: 38500f3bade9f6392afe9a83f925e0f025d31839c3fe1b8d4446b912d8b1d3f2
                                                                                                                  • Opcode Fuzzy Hash: 9da4653c5a2150fed3087e5a397a37839e3c67deabd9876b143c34ca2204b107
                                                                                                                  • Instruction Fuzzy Hash: 72D01231D2022A578B00AAA5DC044EEB738EE95665B504626D55437140EB70665986A2
                                                                                                                  Function 0123BF48 Relevance: .0, Instructions: 17COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: 801ded79c6f548d9fae13a1c66ad17b7a8018e55d31f9ad0c080f35315f100a6
                                                                                                                  • Instruction ID: 345d4010a51dfe8dfa9eff3953043b5460747285ec87129187af58558b26d3bf
                                                                                                                  • Opcode Fuzzy Hash: 801ded79c6f548d9fae13a1c66ad17b7a8018e55d31f9ad0c080f35315f100a6
                                                                                                                  • Instruction Fuzzy Hash: A1D0C737341114774B052B49A8048AE7B5EF7CD7727048027F91583354CE758D1197D5
                                                                                                                  Function 01234831 Relevance: .0, Instructions: 9COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID:
                                                                                                                  • API String ID:
                                                                                                                  • Opcode ID: a996f9ad646c47714b2906c99e3374946092e134bdc863dd3eae069a9b76247b
                                                                                                                  • Instruction ID: e06bd775af30ac334121c2b0859efda42cbb0fa633df5c06cc5cb331dcc4730e
                                                                                                                  • Opcode Fuzzy Hash: a996f9ad646c47714b2906c99e3374946092e134bdc863dd3eae069a9b76247b
                                                                                                                  • Instruction Fuzzy Hash: BDC08C6400D2C00FCF5313606C6A0663FB0AD4320071408CAD0814A01BE3401212C742

                                                                                                                  Non-executed Functions

                                                                                                                  Function 01231A40 Relevance: 5.1, Strings: 4, Instructions: 99COMMON
                                                                                                                  Download Yara Rule
                                                                                                                  Strings
                                                                                                                  Memory Dump Source
                                                                                                                  • Source File: 0000000C.00000002.2905674530.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                  • Snapshot File: hcaresult_12_2_1230000_nDVstwLnVvg.jbxd
                                                                                                                  Similarity
                                                                                                                  • API ID:
                                                                                                                  • String ID: Xbq$Xbq$Xbq$Xbq
                                                                                                                  • API String ID: 0-2732225958
                                                                                                                  • Opcode ID: 8064a0e479a50db349fb2204e2e76e595209c7950d35c8117a6cdff18dd1ee3b
                                                                                                                  • Instruction ID: 189f2116f0f102fac546c6bdc6af9532f2930baedf6febc5d88f6da934d7971f
                                                                                                                  • Opcode Fuzzy Hash: 8064a0e479a50db349fb2204e2e76e595209c7950d35c8117a6cdff18dd1ee3b
                                                                                                                  • Instruction Fuzzy Hash: A83191B0E1021B8FDF698BAD89413AEBAF6ABC4310F144079C605A7255EB308991CF92