Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SPOOOFER776.exe

Overview

General Information

Sample name:SPOOOFER776.exe
Analysis ID:1590903
MD5:66a9fe0ffb298b4c4c390dee3bc534e9
SHA1:5dc498039926c0c342c536d3cccf1e5c1dd752d8
SHA256:0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SPOOOFER776.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\SPOOOFER776.exe" MD5: 66A9FE0FFB298B4C4C390DEE3BC534E9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
SPOOOFER776.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    SPOOOFER776.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      SPOOOFER776.exeINDICATOR_SUSPICIOUS_DisableWinDefenderDetects executables containing artifcats associated with disabling Widnows DefenderditekSHen
      • 0x551718:$reg1: SOFTWARE\Microsoft\Windows Defender\Features
      • 0x551798:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
      • 0x55181d:$reg2: SOFTWARE\Policies\Microsoft\Windows Defender
      • 0x551c82:$s1: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true
      • 0x551d3a:$s2: Set-MpPreference -DisableArchiveScanning $true
      • 0x551dda:$s3: Set-MpPreference -DisableIntrusionPreventionSystem $true
      • 0x551e78:$s4: Set-MpPreference -DisableScriptScanning $true
      • 0x551f02:$s5: Set-MpPreference -SubmitSamplesConsent 2
      • 0x551f70:$s6: Set-MpPreference -MAPSReporting 0
      • 0x551fe8:$s7: Set-MpPreference -HighThreatDefaultAction 6
      • 0x552086:$s8: Set-MpPreference -ModerateThreatDefaultAction 6
      • 0x552114:$s9: Set-MpPreference -LowThreatDefaultAction 6
      • 0x55219e:$s10: Set-MpPreference -SevereThreatDefaultAction 6

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        00000000.00000000.1864156282.0000000000F4D000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              Process Memory Space: SPOOOFER776.exe PID: 6904JoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.SPOOOFER776.exe.7c70000.10.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.2.SPOOOFER776.exe.4aa15f0.7.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    0.2.SPOOOFER776.exe.66f0000.9.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      0.2.SPOOOFER776.exe.4fa1610.8.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                        0.0.SPOOOFER776.exe.d50000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                          Click to see the 2 entries

                          Sigma Signatures

                          No Sigma rule has matched

                          Suricata Signatures

                          No Suricata rule has matched

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Multi AV Scanner detection for submitted file
                          Source: SPOOOFER776.exeVirustotal: Detection: 73%Perma Link
                          Source: SPOOOFER776.exeReversingLabs: Detection: 63%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.2% probability
                          Machine Learning detection for sample
                          Source: SPOOOFER776.exeJoe Sandbox ML: detected
                          Source: SPOOOFER776.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49738 version: TLS 1.2
                          Source: SPOOOFER776.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Spoofer Valorant Atual\SpooferAtualizado\obj\Release\SPOOOFER.pdb source: SPOOOFER776.exe
                          Source: Binary string: $iq.costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SPOOOFER776.exe
                          Source: Binary string: costura.costura.pdb.compressed source: SPOOOFER776.exe
                          Source: Binary string: Siticone.Desktop.UI.pdb source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Spoofer Valorant Atual\SpooferAtualizado\obj\Release\SPOOOFER.pdbBdU^dU PdU_CorExeMainmscoree.dll source: SPOOOFER776.exe
                          Source: Binary string: guna.ui2?costura.guna.ui2.dll.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe
                          Source: Binary string: Siticone.Desktop.UI.pdb8@N@ @@_CorDllMainmscoree.dll source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe
                          Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: SPOOOFER776.exe
                          Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed|||ICSharpCode.SharpZipLib.pdb|E1FCA83029D1440F54FB3747B240365A6DF0A598|121652 source: SPOOOFER776.exe

                          Networking

                          barindex
                          Yara detected Generic Downloader
                          Source: Yara matchFile source: SPOOOFER776.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.SPOOOFER776.exe.7c70000.10.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SPOOOFER776.exe.4aa15f0.7.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SPOOOFER776.exe.66f0000.9.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.SPOOOFER776.exe.4fa1610.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.SPOOOFER776.exe.d50000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                          Source: global trafficHTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 396Expect: 100-continueConnection: Keep-Alive
                          Source: Joe Sandbox ViewIP Address: 104.26.0.5 104.26.0.5
                          Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficDNS traffic detected: DNS query: keyauth.win
                          Source: unknownHTTP traffic detected: POST /api/1.0/ HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: keyauth.winContent-Length: 396Expect: 100-continueConnection: Keep-Alive
                          Source: SPOOOFER776.exeString found in binary or memory: http://167.114.85.75/logo.zip
                          Source: SPOOOFER776.exeString found in binary or memory: http://167.114.85.75/mac.bat
                          Source: SPOOOFER776.exeString found in binary or memory: http://167.114.85.75/tpmbypassspoofer.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gdata.youtube.com/feeds/api/videos/
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000036FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://keyauth.win
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000036FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://keyauth.wind
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.0000000003728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.0000000003728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.0000000003728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/KeyAuth
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.0000000003728000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/KeyAuthd
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://vimeo.com/api/v2/video/
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                          Source: SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                          Source: SPOOOFER776.exeString found in binary or memory: https://api.ipify.org)Nome
                          Source: SPOOOFER776.exeString found in binary or memory: https://discord.com/api/webhooks/1222693252319416370/7HHFXJ3XDvpPWnJrESXq2ra2rQYgEisxjWubp5mRiRjzLmM
                          Source: SPOOOFER776.exeString found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AFUWINx64.EXE
                          Source: SPOOOFER776.exeString found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AMIDEWINx64.exe
                          Source: SPOOOFER776.exeString found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AMIFLDRV64.sys
                          Source: SPOOOFER776.exeString found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/Volumeid64.exe
                          Source: SPOOOFER776.exeString found in binary or memory: https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/amifldrv64_1.sys
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/LRiq
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/api/licensing.php
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/api/licensing.phpLRiq
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/pricing
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gunaui.com/pricingLRiq(pf
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000036EE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000036C2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://keyauth.win/api/1.0/
                          Source: SPOOOFER776.exeString found in binary or memory: https://keyauth.win/api/1.0/aYou
                          Source: SPOOOFER776.exeString found in binary or memory: https://keyauth.win/api/1.1/
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://payments.siticoneframework.com/api/licensing.php
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://payments.siticoneframework.com/api/licensing.php%Siticone
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.siticoneframework.com/Mhttps://siticoneframework.com/pricing/Mhttps://siticoneframework.
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                          Source: unknownHTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.4:49738 version: TLS 1.2

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: SPOOOFER776.exe, type: SAMPLEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                          Source: 0.0.SPOOOFER776.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_01C2E40C0_2_01C2E40C
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0E7980_2_06B0E798
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0A2390_2_06B0A239
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0CDE30_2_06B0CDE3
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B07DD80_2_06B07DD8
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B099180_2_06B09918
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0E7880_2_06B0E788
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B00A900_2_06B00A90
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B00A800_2_06B00A80
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0A8F80_2_06B0A8F8
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B095700_2_06B09570
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B095630_2_06B09563
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0BE720_2_06B0BE72
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0BCF00_2_06B0BCF0
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0DDA80_2_06B0DDA8
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0BD890_2_06B0BD89
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B07DD60_2_06B07DD6
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B07DC80_2_06B07DC8
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0BD000_2_06B0BD00
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0BD5F0_2_06B0BD5F
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B099080_2_06B09908
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09212AA80_2_09212AA8
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09219F900_2_09219F90
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_0921CE940_2_0921CE94
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_0921D9780_2_0921D978
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09212A980_2_09212A98
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_092120E00_2_092120E0
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_092120F00_2_092120F0
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_0921E6380_2_0921E638
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_0996E9B40_2_0996E9B4
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_0996E9E40_2_0996E9E4
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09964B3C0_2_09964B3C
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_0996FAF10_2_0996FAF1
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09968A640_2_09968A64
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_0996EA640_2_0996EA64
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_099660F80_2_099660F8
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_0996F2D00_2_0996F2D0
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_0996F4920_2_0996F492
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_099636500_2_09963650
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_099636410_2_09963641
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_099696790_2_09969679
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B379A00_2_09B379A0
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B3799C0_2_09B3799C
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B394080_2_09B39408
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSiticone.Desktop.UI.dllH vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGuna.UI2.dllD vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSiticone.Desktop.UI.dllH vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000036C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSPOOOFER.exeD vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1978520100.0000000006DB1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGuna.UI2.dllD vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameGuna.UI2.dllD vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSiticone.Desktop.UI.dllH vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameGuna.UI2.dllD vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000000.1864899967.00000000012E7000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSPOOOFER.exeD vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1963235020.0000000001A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SPOOOFER776.exe
                          Source: SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSiticone.Desktop.UI.dllH vs SPOOOFER776.exe
                          Source: SPOOOFER776.exeBinary or memory string: OriginalFilenameSPOOOFER.exeD vs SPOOOFER776.exe
                          Source: SPOOOFER776.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                          Source: SPOOOFER776.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                          Source: 0.0.SPOOOFER776.exe.d50000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
                          Source: classification engineClassification label: mal72.troj.evad.winEXE@1/1@1/1
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SPOOOFER776.exe.logJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeMutant created: NULL
                          Source: SPOOOFER776.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: SPOOOFER776.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: SPOOOFER776.exeVirustotal: Detection: 73%
                          Source: SPOOOFER776.exeReversingLabs: Detection: 63%
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeFile read: C:\Users\user\Desktop\SPOOOFER776.exeJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: ieframe.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: dataexchange.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: d3d11.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: dcomp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: dxgi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: twinapi.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: rasapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: rasman.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: rtutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: SPOOOFER776.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: SPOOOFER776.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                          Source: SPOOOFER776.exeStatic file information: File size 5856768 > 1048576
                          Source: SPOOOFER776.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x554600
                          Source: SPOOOFER776.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: SPOOOFER776.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Spoofer Valorant Atual\SpooferAtualizado\obj\Release\SPOOOFER.pdb source: SPOOOFER776.exe
                          Source: Binary string: $iq.costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura=costura.costura.dll.compressed=costura.costura.pdb.compressed source: SPOOOFER776.exe
                          Source: Binary string: costura.costura.pdb.compressed source: SPOOOFER776.exe
                          Source: Binary string: Siticone.Desktop.UI.pdb source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Spoofer Valorant C#\Spoofer Valorant Atual\SpooferAtualizado\obj\Release\SPOOOFER.pdbBdU^dU PdU_CorExeMainmscoree.dll source: SPOOOFER776.exe
                          Source: Binary string: guna.ui2?costura.guna.ui2.dll.compressed/icsharpcode.sharpziplib]costura.icsharpcode.sharpziplib.dll.compressed]costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe
                          Source: Binary string: Siticone.Desktop.UI.pdb8@N@ @@_CorDllMainmscoree.dll source: SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmp
                          Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed source: SPOOOFER776.exe
                          Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: SPOOOFER776.exe
                          Source: Binary string: costura.icsharpcode.sharpziplib.pdb.compressed|||ICSharpCode.SharpZipLib.pdb|E1FCA83029D1440F54FB3747B240365A6DF0A598|121652 source: SPOOOFER776.exe

                          Data Obfuscation

                          barindex
                          Yara detected Costura Assembly Loader
                          Source: Yara matchFile source: SPOOOFER776.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.SPOOOFER776.exe.d50000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.1864156282.0000000000F4D000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: SPOOOFER776.exe PID: 6904, type: MEMORYSTR
                          Source: SPOOOFER776.exeStatic PE information: 0xF237E430 [Fri Oct 10 03:12:48 2098 UTC]
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0C247 push ecx; iretd 0_2_06B0C248
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_06B0C3BE push ebx; ret 0_2_06B0C3E5
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B319F7 push eax; retn 0070h0_2_09B31A02
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A97 push eax; retn 0070h0_2_09B31AA2
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A9C push eax; retn 0070h0_2_09B31AA2
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A87 push eax; retn 0070h0_2_09B31A92
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A3C push eax; retn 0070h0_2_09B31A42
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A27 push eax; retn 0070h0_2_09B31A32
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A17 push eax; retn 0070h0_2_09B31A22
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A07 push eax; retn 0070h0_2_09B31A12
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A6A push eax; retn 0070h0_2_09B31A82
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A6C push eax; retn 0070h0_2_09B31A72
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B31A47 push eax; retn 0070h0_2_09B31A32
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B34CB8 push E805AF15h; iretd 0_2_09B34CBD
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B34363 push E805C65Eh; ret 0_2_09B34369
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeCode function: 0_2_09B34340 push E806BD5Eh; retf 0_2_09B34361
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeMemory allocated: 1C20000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeMemory allocated: 35C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeMemory allocated: 55C0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeMemory allocated: 6B30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeMemory allocated: 7B30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exe TID: 5328Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exe TID: 6020Thread sleep time: -30000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exe TID: 6984Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: SPOOOFER776.exe, 00000000.00000002.1974179062.0000000005FA7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeMemory allocated: page read and write | page guardJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Users\user\Desktop\SPOOOFER776.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\SPOOOFER776.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Masquerading                          		OS Credential Dumping1
                          Security Software Discovery                          		Remote Services1
                          Archive Collected Data                          		11
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
                          Disable or Modify Tools                          		LSASS Memory31
                          Virtualization/Sandbox Evasion                          		Remote Desktop ProtocolData from Removable Media2
                          Non-Application Layer Protocol                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                          Virtualization/Sandbox Evasion                          		Security Account Manager12
                          System Information Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive3
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                          Timestomp                          		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          DLL Side-Loading                          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Obfuscated Files or Information                          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          SPOOOFER776.exe74%VirustotalBrowse
                          SPOOOFER776.exe63%ReversingLabsByteCode-MSIL.Trojan.Zilla
                          SPOOOFER776.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://keyauth.wind0%Avira URL Cloudsafe
                          https://gunaui.com/api/licensing.phpLRiq0%Avira URL Cloudsafe
                          https://gunaui.com/LRiq0%Avira URL Cloudsafe
                          http://167.114.85.75/logo.zip0%Avira URL Cloudsafe
                          http://167.114.85.75/tpmbypassspoofer.exe0%Avira URL Cloudsafe
                          http://167.114.85.75/mac.bat0%Avira URL Cloudsafe
                          http://schemas.datacontract.org/2004/07/KeyAuthd0%Avira URL Cloudsafe
                          https://www.siticoneframework.com/Mhttps://siticoneframework.com/pricing/Mhttps://siticoneframework.0%Avira URL Cloudsafe
                          https://gunaui.com/pricing0%Avira URL Cloudsafe
                          https://gunaui.com/pricingLRiq(pf0%Avira URL Cloudsafe
                          https://gunaui.com/0%Avira URL Cloudsafe
                          https://payments.siticoneframework.com/api/licensing.php%Siticone0%Avira URL Cloudsafe
                          https://gunaui.com/api/licensing.php0%Avira URL Cloudsafe
                          http://schemas.datacontract.org/2004/07/KeyAuth0%Avira URL Cloudsafe
                          https://payments.siticoneframework.com/api/licensing.php0%Avira URL Cloudsafe
                          https://api.ipify.org)Nome0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          keyauth.win
                          		104.26.0.5
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://keyauth.win/api/1.0/false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.fontbureau.com/designersGSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.com/designers/?SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bTheSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.datacontract.orgSPOOOFER776.exe, 00000000.00000002.1963979501.0000000003728000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://keyauth.winSPOOOFER776.exe, 00000000.00000002.1963979501.00000000036EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://keyauth.windSPOOOFER776.exe, 00000000.00000002.1963979501.00000000036FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.fontbureau.com/designers?SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://gunaui.com/api/licensing.phpLRiqSPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/amifldrv64_1.sysSPOOOFER776.exefalse
                                            		high
                                            http://www.tiro.comSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.fontbureau.com/designersSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.goodfont.co.krSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://gunaui.com/LRiqSPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AFUWINx64.EXESPOOOFER776.exefalse
                                                    		high
                                                    http://www.sajatypeworks.comSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.typography.netDSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/cTheSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.galapagosdesign.com/staff/dennis.htmSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://167.114.85.75/tpmbypassspoofer.exeSPOOOFER776.exefalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://167.114.85.75/logo.zipSPOOOFER776.exefalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://167.114.85.75/mac.batSPOOOFER776.exefalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.siticoneframework.com/Mhttps://siticoneframework.com/pricing/Mhttps://siticoneframework.SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleaseSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.fonts.comSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.urwpp.deDPleaseSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.zhongyicts.com.cnSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSPOOOFER776.exe, 00000000.00000002.1963979501.00000000036EE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://www.sakkal.comSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://gunaui.com/pricingSPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://gunaui.com/pricingLRiq(pfSPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://schemas.datacontract.org/2004/07/KeyAuthdSPOOOFER776.exe, 00000000.00000002.1963979501.0000000003728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.apache.org/licenses/LICENSE-2.0SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.fontbureau.comSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://vimeo.com/api/v2/video/SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.datacontract.org/2004/07/SPOOOFER776.exe, 00000000.00000002.1963979501.0000000003728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://gdata.youtube.com/feeds/api/videos/SPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://keyauth.winSPOOOFER776.exe, 00000000.00000002.1963979501.00000000036FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://payments.siticoneframework.com/api/licensing.php%SiticoneSPOOOFER776.exe, 00000000.00000002.1964529197.00000000047A2000.00000004.00000800.00020000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, SPOOOFER776.exe, 00000000.00000002.1964529197.0000000004FA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://keyauth.win/api/1.0/aYouSPOOOFER776.exefalse
                                                                                        		high
                                                                                        https://keyauth.win/api/1.1/SPOOOFER776.exefalse
                                                                                          		high
                                                                                          http://www.carterandcone.comlSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.fontbureau.com/designers/cabarga.htmlNSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://discord.com/api/webhooks/1222693252319416370/7HHFXJ3XDvpPWnJrESXq2ra2rQYgEisxjWubp5mRiRjzLmMSPOOOFER776.exefalse
                                                                                                		high
                                                                                                http://www.founder.com.cn/cnSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.fontbureau.com/designers/frere-user.htmlSPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AMIDEWINx64.exeSPOOOFER776.exefalse
                                                                                                      		high
                                                                                                      https://payments.siticoneframework.com/api/licensing.phpSPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/AMIFLDRV64.sysSPOOOFER776.exefalse
                                                                                                        		high
                                                                                                        http://www.jiyu-kobo.co.jp/SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.fontbureau.com/designers8SPOOOFER776.exe, 00000000.00000002.1996226419.0000000009292000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://github.com/Bronkzware/dsfgsgfgfgs/raw/refs/heads/main/Volumeid64.exeSPOOOFER776.exefalse
                                                                                                              		high
                                                                                                              https://gunaui.com/api/licensing.phpSPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://schemas.datacontract.org/2004/07/KeyAuthSPOOOFER776.exe, 00000000.00000002.1963979501.0000000003728000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://api.ipify.org)NomeSPOOOFER776.exefalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://gunaui.com/SPOOOFER776.exe, 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              104.26.0.5
                                                                                                              		keyauth.winUnited States
                                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                                              Analysis ID:1590903
                                                                                                              Start date and time:2025-01-14 16:54:57 +01:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 6m 30s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Run name:Run with higher sleep bypass
                                                                                                              Number of analysed new started processes analysed:6
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:SPOOOFER776.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal72.troj.evad.winEXE@1/1@1/1
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 100%
                                                                                                              HCA Information:
                                                                                                              • Successful, ratio: 99%
                                                                                                              • Number of executed functions: 63
                                                                                                              • Number of non-executed functions: 27
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe
                                                                                                              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                                                              • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored
                                                                                                              • Stop behavior analysis, all processes terminated

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 184.28.90.27, 4.175.87.197, 13.107.246.45
                                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              No simulations

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              104.26.0.5EspPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                AimPrivStoreAtt117.exeGet hashmaliciousUnknownBrowse
                                                                                                                  B06 Chair + Blocker.exeGet hashmaliciousUnknownBrowse
                                                                                                                    B06 Chair + Blocker.exeGet hashmaliciousUnknownBrowse
                                                                                                                      ak3o7AZ3mH.exeGet hashmaliciousBabadeda, Conti, MimikatzBrowse
                                                                                                                        IJGLxMMTaK.exeGet hashmaliciousUnknownBrowse
                                                                                                                          IJGLxMMTaK.exeGet hashmaliciousUnknownBrowse
                                                                                                                            dMFmJxq6oK.exeGet hashmaliciousUnknownBrowse
                                                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                IAdjMfB2A5.exeGet hashmaliciousXWormBrowse

                                                                                                                                  Domains

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  keyauth.winPlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.1.5
                                                                                                                                  AimPrivStoreAtt117.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.72.57
                                                                                                                                  EspPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  tpmbypassprivatestore.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.1.5
                                                                                                                                  PlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.1.5
                                                                                                                                  AimPrivStoreAtt117.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  B06 Chair + Blocker.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  B06 Chair + Blocker.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  ak3o7AZ3mH.exeGet hashmaliciousBabadeda, Conti, MimikatzBrowse
                                                                                                                                  • 104.26.0.5

                                                                                                                                  ASNs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  CLOUDFLARENETUSPlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.1.5
                                                                                                                                  AimPrivStoreAtt117.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 172.67.72.57
                                                                                                                                  http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                  • 172.67.74.152
                                                                                                                                  EspPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  tpmbypassprivatestore.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.1.5
                                                                                                                                  email.emlGet hashmaliciousunknownBrowse
                                                                                                                                  • 172.64.41.3
                                                                                                                                  http://www.brillflooring.comGet hashmaliciousUnknownBrowse
                                                                                                                                  • 188.114.96.3
                                                                                                                                  PlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.1.5
                                                                                                                                  AimPrivStoreAtt117.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0ePlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  AimPrivStoreAtt117.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  EspPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  http://www.brillflooring.comGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  PlusPrivStoreAtt116.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  AimPrivStoreAtt117.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  Confirm Bank Statement.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  Subscription_Renewal_Receipt_2025.htmGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                  • 104.26.0.5
                                                                                                                                  http://vionicstore.shopGet hashmaliciousUnknownBrowse
                                                                                                                                  • 104.26.0.5

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SPOOOFER776.exe.log

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\Desktop\SPOOOFER776.exe
                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):1553
                                                                                                                                  Entropy (8bit):5.349053066873526
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:48:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HmHKJHKmTH3:Pq5qHwCYqh3oPtI6eqzxGqJqqX
                                                                                                                                  MD5:E7486FB6F704DFF43F9913929E0B6E90
                                                                                                                                  SHA1:8213ECDCA2A2902EA04CC46AD25B7BE8B009B66F
                                                                                                                                  SHA-256:4D21973286C22A3C68CC366BB1B73F2040212B6F4EDCC23D725EF141224DBE98
                                                                                                                                  SHA-512:345B6E69130DB544888D8E8F15BE7CB7604DE1F9EBAE9010CB62B9AA94EC1B74FBDE493D50DD0EE53C6DC2EE65961DC0887D7B860BF4525F50F54F907548E565
                                                                                                                                  Malicious:true
                                                                                                                                  Reputation:low
                                                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                  Entropy (8bit):7.681946284740579
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                  File name:SPOOOFER776.exe
                                                                                                                                  File size:5'856'768 bytes
                                                                                                                                  MD5:66a9fe0ffb298b4c4c390dee3bc534e9
                                                                                                                                  SHA1:5dc498039926c0c342c536d3cccf1e5c1dd752d8
                                                                                                                                  SHA256:0fc0de254bc80e54c708fbd0eb0460c730283508b94108e4b2d1d70525ef3fce
                                                                                                                                  SHA512:a8a8c2674744069531908b69384a1a03b38991ddbabd2a0d5908add292796e0ca4ed6c16a0867d1af0e200e4b203d6d1e41b6639ba6e6df276e43bbfc262ee36
                                                                                                                                  SSDEEP:98304:WDEBe6aA0c5ZUYKjYXC3UdKep9y1X+bEszBfhBVnTknrqkqXf0F9+KH4kpc+DX/P:W490cbzyEdKepwIb5zBXVnT02kSIEKYK
                                                                                                                                  TLSH:BF46F0422186D59CF037D9BC46D6E9ADF996AC615ED2C92A2DC3B5F880F32027B50F03
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0.7..........."...0..FU.........ndU.. ........@.. ........................Y...........`................................

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:4427131757593716

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x95646e
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                  Time Stamp:0xF237E430 [Fri Oct 10 03:12:48 2098 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:4
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:4
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:4
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  jmp dword ptr [00402000h]
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al
                                                                                                                                  add byte ptr [eax], al

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x55641a0x51.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5580000x4130c.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x59a0000xc.reloc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x5563380x38.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x20000x5544740x5546005541e199cb4d52f020bf34a5a192525cunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rsrc0x5580000x4130c0x41400d891dc917d538be924cb523af7b0577bFalse0.1685674090038314data3.375765933642511IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .reloc0x59a0000xc0x200dabe037bf1c4ab067372e4781f14db8eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                  RT_ICON0x5581000x40c28Device independent bitmap graphic, 251 x 512 x 32, image size 2570240.16656362155804205
                                                                                                                                  RT_GROUP_ICON0x598d380x14data1.2
                                                                                                                                  RT_VERSION0x598d5c0x3b0data0.4343220338983051
                                                                                                                                  RT_MANIFEST0x59911c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  mscoree.dll_CorExeMain

                                                                                                                                  Network Behavior

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Jan 14, 2025 16:56:12.365875006 CET49738443192.168.2.4104.26.0.5
                                                                                                                                  Jan 14, 2025 16:56:12.365911961 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:12.365992069 CET49738443192.168.2.4104.26.0.5
                                                                                                                                  Jan 14, 2025 16:56:12.378025055 CET49738443192.168.2.4104.26.0.5
                                                                                                                                  Jan 14, 2025 16:56:12.378040075 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:12.844595909 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:12.847197056 CET49738443192.168.2.4104.26.0.5
                                                                                                                                  Jan 14, 2025 16:56:12.850964069 CET49738443192.168.2.4104.26.0.5
                                                                                                                                  Jan 14, 2025 16:56:12.850970984 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:12.851279974 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:12.893218040 CET49738443192.168.2.4104.26.0.5
                                                                                                                                  Jan 14, 2025 16:56:12.903095007 CET49738443192.168.2.4104.26.0.5
                                                                                                                                  Jan 14, 2025 16:56:12.947340965 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:12.997780085 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:12.998450994 CET49738443192.168.2.4104.26.0.5
                                                                                                                                  Jan 14, 2025 16:56:12.998466969 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:13.114337921 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:13.114438057 CET44349738104.26.0.5192.168.2.4
                                                                                                                                  Jan 14, 2025 16:56:13.114489079 CET49738443192.168.2.4104.26.0.5
                                                                                                                                  Jan 14, 2025 16:56:13.117568970 CET49738443192.168.2.4104.26.0.5

                                                                                                                                  UDP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Jan 14, 2025 16:56:12.346359968 CET6449153192.168.2.41.1.1.1
                                                                                                                                  Jan 14, 2025 16:56:12.359359980 CET53644911.1.1.1192.168.2.4

                                                                                                                                  DNS Queries

                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                  Jan 14, 2025 16:56:12.346359968 CET192.168.2.41.1.1.10x925bStandard query (0)keyauth.winA (IP address)IN (0x0001)false

                                                                                                                                  DNS Answers

                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                  Jan 14, 2025 16:56:12.359359980 CET1.1.1.1192.168.2.40x925bNo error (0)keyauth.win104.26.0.5A (IP address)IN (0x0001)false
                                                                                                                                  Jan 14, 2025 16:56:12.359359980 CET1.1.1.1192.168.2.40x925bNo error (0)keyauth.win104.26.1.5A (IP address)IN (0x0001)false
                                                                                                                                  Jan 14, 2025 16:56:12.359359980 CET1.1.1.1192.168.2.40x925bNo error (0)keyauth.win172.67.72.57A (IP address)IN (0x0001)false

                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                  • keyauth.win

                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  0192.168.2.449738104.26.0.54436904C:\Users\user\Desktop\SPOOOFER776.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  2025-01-14 15:56:12 UTC162OUTPOST /api/1.0/ HTTP/1.1
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Host: keyauth.win
                                                                                                                                  Content-Length: 396
                                                                                                                                  Expect: 100-continue
                                                                                                                                  Connection: Keep-Alive
                                                                                                                                  2025-01-14 15:56:12 UTC25INHTTP/1.1 100 Continue
                                                                                                                                  2025-01-14 15:56:12 UTC396OUTData Raw: 74 79 70 65 3d 36 39 36 65 36 39 37 34 26 76 65 72 3d 36 63 39 30 30 63 34 62 62 32 61 65 34 33 31 30 64 32 31 34 30 65 61 36 37 32 63 37 33 33 35 65 26 68 61 73 68 3d 36 36 61 39 66 65 30 66 66 62 32 39 38 62 34 63 34 63 33 39 30 64 65 65 33 62 63 35 33 34 65 39 26 65 6e 63 6b 65 79 3d 66 32 34 61 34 66 64 35 35 62 66 38 66 63 61 30 62 31 65 38 36 31 31 34 35 66 61 32 30 34 39 38 35 63 64 64 62 33 30 36 64 32 65 37 61 61 39 62 33 61 61 65 30 61 35 34 38 62 37 66 61 66 63 31 61 61 64 33 39 36 37 30 34 62 65 38 65 31 66 35 64 62 34 39 63 39 37 37 62 34 63 37 64 36 65 32 30 35 33 36 39 32 35 36 39 61 38 35 38 35 63 66 65 65 32 38 61 36 33 35 61 66 38 32 65 36 38 64 37 30 62 30 61 31 66 30 35 34 39 32 64 39 65 64 32 36 63 35 61 30 30 66 63 32 62 31 66 33 36
                                                                                                                                  Data Ascii: type=696e6974&ver=6c900c4bb2ae4310d2140ea672c7335e&hash=66a9fe0ffb298b4c4c390dee3bc534e9&enckey=f24a4fd55bf8fca0b1e861145fa204985cddb306d2e7aa9b3aae0a548b7fafc1aad396704be8e1f5db49c977b4c7d6e2053692569a8585cfee28a635af82e68d70b0a1f05492d9ed26c5a00fc2b1f36
                                                                                                                                  2025-01-14 15:56:13 UTC1369INHTTP/1.1 200 OK
                                                                                                                                  Date: Tue, 14 Jan 2025 15:56:13 GMT
                                                                                                                                  Content-Type: text/plain;charset=UTF-8
                                                                                                                                  Content-Length: 192
                                                                                                                                  Connection: close
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2BKuuP6wizOF0rAUoGaQ%2BiTXZsK0lb3dAvAycmAOl2jBd6ICVA16ovOB4z4bY%2Baj5m3STkpJ5mIhrbwHXl7Rf6htUF3racmm9Wnze%2Blszp%2FXaIp24hLnyZ7nNtm0"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Acknowledge: Credit to VaultCord.com
                                                                                                                                  X-Powered-By: VaultCord.com
                                                                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                                                                  permissions-policy: accelerometer=(), camera=(), fullscreen=*, geolocation=(self), gyroscope=(), microphone=(), payment=*
                                                                                                                                  referrer-policy: strict-origin-when-cross-origin
                                                                                                                                  strict-transport-security: max-age=31536000; includeSubDomains
                                                                                                                                  x-content-security-policy: img-src *; media-src * data:;
                                                                                                                                  x-content-type-options: nosniff
                                                                                                                                  x-frame-options: DENY
                                                                                                                                  x-xss-protection: 1; mode=block
                                                                                                                                  Access-Control-Allow-Headers: *
                                                                                                                                  Access-Control-Allow-Methods: *
                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 901ed094fb411906-EWR
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=4362&min_rtt=1510&rtt_var=6129&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2842&recv_bytes=1194&delivery_rate=1906005&cwnd=253&unsent_bytes=0&cid=346a546c115b8c0c&ts=285&x=0"
                                                                                                                                  3cfda93e77606f26eb75beba74fa06460b49566d59d0f46f
                                                                                                                                  2025-01-14 15:56:13 UTC144INData Raw: 33 30 61 30 63 63 30 34 61 37 39 30 30 31 32 39 39 65 33 34 66 39 36 65 62 35 37 30 31 36 35 37 37 31 37 65 64 64 36 30 61 62 33 32 38 36 35 66 33 36 62 66 64 32 64 33 32 61 63 32 37 32 33 63 37 35 64 31 63 39 66 30 64 37 30 63 34 37 61 64 35 65 32 39 66 39 64 38 34 39 30 62 33 38 39 63 61 32 63 39 37 66 35 30 61 62 64 31 61 30 33 34 66 64 37 35 63 34 36 37 62 30 36 39 30 33 66 35 61 35 61 39 35 31 33 34 34 64 35 63 33 34 33 33
                                                                                                                                  Data Ascii: 30a0cc04a79001299e34f96eb5701657717edd60ab32865f36bfd2d32ac2723c75d1c9f0d70c47ad5e29f9d8490b389ca2c97f50abd1a034fd75c467b06903f5a5a951344d5c3433


                                                                                                                                  Statistics

                                                                                                                                  CPU Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  Memory Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  High Level Behavior Distribution

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  System Behavior

                                                                                                                                  General

                                                                                                                                  Target ID:0
                                                                                                                                  Start time:10:56:07
                                                                                                                                  Start date:14/01/2025
                                                                                                                                  Path:C:\Users\user\Desktop\SPOOOFER776.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\SPOOOFER776.exe"
                                                                                                                                  Imagebase:0xd50000
                                                                                                                                  File size:5'856'768 bytes
                                                                                                                                  MD5 hash:66A9FE0FFB298B4C4C390DEE3BC534E9
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1982188192.0000000007C70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1864156282.0000000000F4D000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.1974541992.00000000066F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1963979501.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  Disassembly

                                                                                                                                  Reset < >

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:11.9%
                                                                                                                                    Dynamic/Decrypted Code Coverage:99.7%
                                                                                                                                    Signature Coverage:0.8%
                                                                                                                                    Total number of Nodes:859
                                                                                                                                    Total number of Limit Nodes:66
                                                                                                                                    execution_graph 68697 9218220 68698 921822c 68697->68698 68699 9218249 68698->68699 68701 9217da0 68698->68701 68702 9217dab 68701->68702 68703 92182cc 68702->68703 68706 6b04bc0 68702->68706 68714 6b04bd0 68702->68714 68703->68699 68707 6b04ba8 68706->68707 68708 6b04bca 68706->68708 68707->68703 68709 6b04c1d 68708->68709 68721 996a6a1 68708->68721 68740 6b005b8 68708->68740 68751 6b00588 68708->68751 68761 996a6b0 68708->68761 68709->68703 68715 6b04be0 68714->68715 68716 6b04c1d 68715->68716 68717 996a6b0 4 API calls 68715->68717 68718 996a6a1 4 API calls 68715->68718 68719 6b005b8 4 API calls 68715->68719 68720 6b00588 4 API calls 68715->68720 68716->68703 68717->68716 68718->68716 68719->68716 68720->68716 68722 996a6e9 68721->68722 68725 996a787 68722->68725 68738 6b005b8 4 API calls 68722->68738 68739 6b00588 4 API calls 68722->68739 68780 9969fb0 68725->68780 68726 996a7fd 68728 996a91d 68726->68728 68800 9969fe0 68726->68800 68729 996a8c4 68729->68728 68730 9969fe0 CreateWindowExW 68729->68730 68731 996a8ef 68730->68731 68731->68728 68732 9969fe0 CreateWindowExW 68731->68732 68733 996a900 68732->68733 68805 9964ae0 68733->68805 68808 9965a19 68733->68808 68738->68725 68739->68725 68742 6b006f6 68740->68742 68746 6b005e9 68740->68746 68741 6b005f5 68741->68709 68742->68709 68743 6b006da 68747 6b01410 CreateWindowExW 68743->68747 68748 6b01400 CreateWindowExW 68743->68748 68744 6b006e9 68845 6b001b8 CreateWindowExW PostMessageW SetTimer SetTimer 68744->68845 68746->68741 68746->68743 68835 9218360 68746->68835 68840 9218388 68746->68840 68747->68744 68748->68744 68753 6b0058d 68751->68753 68752 6b006da 68759 6b01410 CreateWindowExW 68752->68759 68760 6b01400 CreateWindowExW 68752->68760 68753->68752 68756 6b005f5 68753->68756 68757 9218360 4 API calls 68753->68757 68758 9218388 4 API calls 68753->68758 68754 6b006e9 68846 6b001b8 CreateWindowExW PostMessageW SetTimer SetTimer 68754->68846 68756->68709 68757->68752 68758->68752 68759->68754 68760->68754 68762 996a6e9 68761->68762 68765 996a787 68762->68765 68778 6b005b8 4 API calls 68762->68778 68779 6b00588 4 API calls 68762->68779 68763 9969fb0 CreateWindowExW 68764 996a7f3 68763->68764 68767 996a7fd 68764->68767 68776 921cfd4 PostMessageW 68764->68776 68777 921dfa7 PostMessageW 68764->68777 68765->68763 68766 996a91d 68767->68766 68768 9969fe0 CreateWindowExW 68767->68768 68769 996a8c4 68768->68769 68769->68766 68770 9969fe0 CreateWindowExW 68769->68770 68771 996a8ef 68770->68771 68771->68766 68772 9969fe0 CreateWindowExW 68771->68772 68773 996a900 68772->68773 68774 9964ae0 SetTimer 68773->68774 68775 9965a19 SetTimer 68773->68775 68774->68766 68775->68766 68776->68767 68777->68767 68778->68765 68779->68765 68781 9969fbb 68780->68781 68782 996a7f3 68781->68782 68783 9969fe0 CreateWindowExW 68781->68783 68782->68726 68784 921cfd4 68782->68784 68792 921dfa7 68782->68792 68783->68782 68785 921cfdf 68784->68785 68787 921e046 68785->68787 68811 921f2b2 68785->68811 68815 921f2c0 68785->68815 68786 921e0e7 68788 921f2c0 PostMessageW 68786->68788 68789 921f2b2 PostMessageW 68786->68789 68787->68726 68788->68787 68789->68787 68793 921dfb6 68792->68793 68795 921e046 68793->68795 68796 921f2c0 PostMessageW 68793->68796 68797 921f2b2 PostMessageW 68793->68797 68794 921e0e7 68798 921f2c0 PostMessageW 68794->68798 68799 921f2b2 PostMessageW 68794->68799 68795->68726 68796->68794 68797->68794 68798->68795 68799->68795 68801 9969feb 68800->68801 68802 996bbb3 68801->68802 68822 6b01410 68801->68822 68826 6b01400 68801->68826 68802->68729 68806 9965a20 SetTimer 68805->68806 68807 9965a8c 68806->68807 68807->68728 68809 9965a20 SetTimer 68808->68809 68810 9965a8c 68809->68810 68810->68728 68812 921f2d0 68811->68812 68819 921d178 68812->68819 68816 921f2d0 68815->68816 68817 921d178 PostMessageW 68816->68817 68818 921f2e1 68817->68818 68818->68786 68820 921f2f8 PostMessageW 68819->68820 68821 921f2e1 68820->68821 68821->68786 68823 6b0143b 68822->68823 68824 6b014ea 68823->68824 68830 6b02324 68823->68830 68827 6b0143b 68826->68827 68828 6b014ea 68827->68828 68829 6b02324 CreateWindowExW 68827->68829 68829->68828 68831 6b022f0 68830->68831 68831->68830 68832 6b022f2 68831->68832 68833 6b023f3 CreateWindowExW 68831->68833 68832->68824 68834 6b02454 68833->68834 68834->68834 68837 9218383 68835->68837 68836 92183ad 68836->68743 68837->68836 68838 6b04bd0 4 API calls 68837->68838 68839 6b04bc0 4 API calls 68837->68839 68838->68836 68839->68836 68841 9218396 68840->68841 68842 92183ad 68841->68842 68843 6b04bd0 4 API calls 68841->68843 68844 6b04bc0 4 API calls 68841->68844 68842->68743 68843->68842 68844->68842 68845->68742 68846->68756 69504 7ead2a8 69506 7ea9afe KiUserCallbackDispatcher 69504->69506 69507 7ea9b00 KiUserCallbackDispatcher 69504->69507 69508 7ea9af0 KiUserCallbackDispatcher 69504->69508 69505 7ead2bf 69506->69505 69507->69505 69508->69505 69509 9b387f0 69510 9b3897b 69509->69510 69511 9b38816 69509->69511 69511->69510 69513 921d178 PostMessageW 69511->69513 69514 921f2f0 69511->69514 69513->69511 69515 921f2f8 PostMessageW 69514->69515 69516 921f364 69515->69516 69516->69511 68847 921eb28 68850 921eb50 68847->68850 68853 921eb78 68850->68853 68851 921eb3c 68854 921eb8c 68853->68854 68855 921eb9a 68854->68855 68862 921ec20 68854->68862 68856 921ebe4 68855->68856 68857 921ebbc 68855->68857 68867 921d0a0 SendMessageW 68856->68867 68866 921d0a0 SendMessageW 68857->68866 68860 921ebcb 68860->68851 68864 6b005b8 4 API calls 68862->68864 68865 6b00588 4 API calls 68862->68865 68863 921ec4d 68864->68863 68865->68863 68866->68860 68867->68860 69517 1c24908 69518 1c24912 69517->69518 69525 1c249f9 69517->69525 69530 1c244a4 69518->69530 69520 1c2492d 69534 9969c19 69520->69534 69538 9969c28 69520->69538 69526 1c24a1d 69525->69526 69542 1c24af8 69526->69542 69546 1c24b08 69526->69546 69531 1c244af 69530->69531 69532 1c27b2c 7 API calls 69531->69532 69533 1c27f55 69532->69533 69533->69520 69535 9969c3a 69534->69535 69554 9968bf8 69535->69554 69539 9969c3a 69538->69539 69540 9968bf8 6 API calls 69539->69540 69541 1c24935 69540->69541 69543 1c24b08 69542->69543 69545 1c24c0c 69543->69545 69550 1c24800 69543->69550 69548 1c24b2f 69546->69548 69547 1c24c0c 69547->69547 69548->69547 69549 1c24800 CreateActCtxA 69548->69549 69549->69547 69551 1c25f98 CreateActCtxA 69550->69551 69553 1c2605b 69551->69553 69556 9968c03 69554->69556 69558 9968c34 69556->69558 69557 9969d6c 69560 9968c3f 69558->69560 69559 9969f18 6 API calls 69563 996a3e1 69559->69563 69562 996a286 69560->69562 69560->69563 69564 9969f18 69560->69564 69562->69559 69562->69563 69563->69557 69565 9969f23 69564->69565 69569 9969108 69565->69569 69573 9969118 69565->69573 69566 996a61c 69566->69562 69570 996913e 69569->69570 69571 9969152 69570->69571 69572 1c2e848 6 API calls 69570->69572 69571->69566 69572->69571 69574 996913e 69573->69574 69575 9969152 69574->69575 69576 1c2e848 6 API calls 69574->69576 69575->69566 69576->69575 68868 18cd01c 68869 18cd034 68868->68869 68870 18cd08e 68869->68870 68875 6b024e8 68869->68875 68879 6b0033c 68869->68879 68890 6b024d8 68869->68890 68894 6b0323b 68869->68894 68876 6b0250e 68875->68876 68877 6b0033c 12 API calls 68876->68877 68878 6b0252f 68877->68878 68878->68870 68880 6b00347 68879->68880 68881 6b032a9 68880->68881 68883 6b03299 68880->68883 68932 6b00464 68881->68932 68905 6b033d0 68883->68905 68910 9b374fb 68883->68910 68915 6b0349c 68883->68915 68921 6b033c3 68883->68921 68926 99659a0 68883->68926 68884 6b032a7 68891 6b0250e 68890->68891 68892 6b0033c 12 API calls 68891->68892 68893 6b0252f 68892->68893 68893->68870 68897 6b03275 68894->68897 68895 6b032a9 68896 6b00464 12 API calls 68895->68896 68899 6b032a7 68896->68899 68897->68895 68898 6b03299 68897->68898 68900 6b033d0 12 API calls 68898->68900 68901 6b033c3 12 API calls 68898->68901 68902 99659a0 12 API calls 68898->68902 68903 9b374fb 2 API calls 68898->68903 68904 6b0349c 12 API calls 68898->68904 68900->68899 68901->68899 68902->68899 68903->68899 68904->68899 68907 6b033e4 68905->68907 68906 6b03470 68906->68884 68939 6b03488 68907->68939 68950 6b03483 68907->68950 68911 9b37515 68910->68911 68912 9b3750c 68910->68912 68911->68884 69109 9b37524 68912->69109 69113 9b37528 68912->69113 68916 6b0345a 68915->68916 68917 6b034aa 68915->68917 68919 6b03483 12 API calls 68916->68919 68920 6b03488 12 API calls 68916->68920 68918 6b03470 68918->68884 68919->68918 68920->68918 68922 6b033e4 68921->68922 68924 6b03483 12 API calls 68922->68924 68925 6b03488 12 API calls 68922->68925 68923 6b03470 68923->68884 68924->68923 68925->68923 68927 99659ad 68926->68927 68928 99659b5 68927->68928 68930 6b048e0 12 API calls 68927->68930 68931 6b00464 12 API calls 68927->68931 68928->68884 68929 99659e0 68929->68884 68930->68929 68931->68929 68933 6b0046f 68932->68933 68934 6b04932 68933->68934 68935 6b049dc 68933->68935 68937 6b0498a CallWindowProcW 68934->68937 68938 6b04939 68934->68938 68936 6b0033c 11 API calls 68935->68936 68936->68938 68937->68938 68938->68884 68949 6b03499 68939->68949 68962 996adb0 68939->68962 68973 921ed90 68939->68973 68976 996de92 68939->68976 68984 6b048c0 68939->68984 68987 921eda0 68939->68987 68990 921897a 68939->68990 68998 996dec0 68939->68998 69003 9218988 68939->69003 69011 996ad90 68939->69011 68949->68906 68951 6b03488 68950->68951 68952 6b048c0 12 API calls 68951->68952 68953 921eda0 12 API calls 68951->68953 68954 921ed90 12 API calls 68951->68954 68955 996de92 12 API calls 68951->68955 68956 996ad90 12 API calls 68951->68956 68957 996adb0 12 API calls 68951->68957 68958 996dec0 12 API calls 68951->68958 68959 9218988 12 API calls 68951->68959 68960 6b03499 68951->68960 68961 921897a 12 API calls 68951->68961 68952->68960 68953->68960 68954->68960 68955->68960 68956->68960 68957->68960 68958->68960 68959->68960 68960->68906 68961->68960 68963 996adc9 68962->68963 68964 996addc 68962->68964 68963->68964 68965 996add3 68963->68965 68966 996adea 68963->68966 68971 996af16 68964->68971 69030 92189e8 68964->69030 68965->68964 68967 996aff9 68965->68967 68966->68964 68969 996b062 68966->68969 68966->68971 69022 996a0e8 68967->69022 69026 996a158 68969->69026 68971->68949 68974 921edb4 68973->68974 69081 921ee33 68973->69081 68974->68949 68977 996de9b 68976->68977 68978 996de33 68976->68978 68979 996decb 68977->68979 68983 92189e8 12 API calls 68977->68983 68978->68949 68980 996de72 68978->68980 69099 6b06484 68978->69099 68979->68949 68980->68949 68981 996ded7 68981->68949 68983->68981 68985 6b00464 12 API calls 68984->68985 68986 6b048da 68985->68986 68986->68949 68989 921ee33 12 API calls 68987->68989 68988 921edb4 68988->68949 68989->68988 68991 9218988 68990->68991 68992 92189d4 68991->68992 68997 92189e8 12 API calls 68991->68997 68992->68949 68993 92189a1 68993->68992 69105 9960748 PostMessageW 68993->69105 69107 9960740 PostMessageW 68993->69107 68994 92189d0 68994->68949 68997->68993 68999 996ded2 68998->68999 69000 996decb 68998->69000 69002 92189e8 12 API calls 68999->69002 69000->68949 69001 996ded7 69001->68949 69002->69001 69004 92189d4 69003->69004 69005 9218997 69003->69005 69004->68949 69008 92189e8 12 API calls 69005->69008 69006 92189a1 69006->69004 69009 9960740 PostMessageW 69006->69009 69010 9960748 PostMessageW 69006->69010 69007 92189d0 69007->68949 69008->69006 69009->69007 69010->69007 69012 996ad95 69011->69012 69013 996add3 69012->69013 69014 996adea 69012->69014 69015 996addc 69012->69015 69013->69015 69016 996aff9 69013->69016 69014->69015 69018 996b062 69014->69018 69020 996af16 69014->69020 69015->69020 69021 92189e8 12 API calls 69015->69021 69017 996a0e8 12 API calls 69016->69017 69017->69020 69019 996a158 12 API calls 69018->69019 69019->69020 69020->68949 69021->69020 69023 996a0f3 69022->69023 69025 92189e8 12 API calls 69023->69025 69024 996b4ee 69024->68971 69025->69024 69027 996a163 69026->69027 69029 92189e8 12 API calls 69027->69029 69028 996dd9c 69028->68971 69029->69028 69031 9218a03 69030->69031 69032 9218a0a 69030->69032 69031->68971 69036 9218a1a 69032->69036 69043 9218a28 69032->69043 69033 9218a10 69033->68971 69037 9218a36 69036->69037 69039 9218a58 69036->69039 69038 9218a44 69037->69038 69042 6b048c0 12 API calls 69037->69042 69050 6b03ca8 69037->69050 69057 6b03cb8 69037->69057 69038->69033 69039->69033 69042->69038 69044 9218a36 69043->69044 69046 9218a58 69043->69046 69045 9218a44 69044->69045 69047 6b03cb8 12 API calls 69044->69047 69048 6b03ca8 12 API calls 69044->69048 69049 6b048c0 12 API calls 69044->69049 69045->69033 69046->69033 69047->69045 69048->69045 69049->69045 69052 6b03cb8 69050->69052 69051 6b03fa4 69051->69038 69052->69051 69053 6b04685 GetFocus 69052->69053 69054 6b046b2 69052->69054 69053->69054 69054->69051 69064 996b368 69054->69064 69069 996b378 69054->69069 69058 6b03d04 69057->69058 69059 6b03fa4 69058->69059 69060 6b04685 GetFocus 69058->69060 69061 6b046b2 69058->69061 69059->69038 69060->69061 69061->69059 69062 996b378 11 API calls 69061->69062 69063 996b368 11 API calls 69061->69063 69062->69059 69063->69059 69065 996b3be 69064->69065 69066 996b3e1 69065->69066 69068 6b00464 12 API calls 69065->69068 69074 6b048e0 69065->69074 69066->69051 69068->69066 69070 996b3be 69069->69070 69071 996b3e1 69070->69071 69072 6b048e0 12 API calls 69070->69072 69073 6b00464 12 API calls 69070->69073 69071->69051 69072->69071 69073->69071 69075 6b048f0 69074->69075 69076 6b04932 69075->69076 69077 6b049dc 69075->69077 69079 6b0498a CallWindowProcW 69076->69079 69080 6b04939 69076->69080 69078 6b0033c 11 API calls 69077->69078 69078->69080 69079->69080 69080->69066 69082 921ee46 69081->69082 69084 921ee56 69081->69084 69083 921eea3 69082->69083 69087 921eee8 69082->69087 69093 921eeda 69082->69093 69083->68974 69084->68974 69088 921eef9 69087->69088 69089 921ef1c 69088->69089 69090 6b048c0 12 API calls 69088->69090 69091 6b03cb8 12 API calls 69088->69091 69092 6b03ca8 12 API calls 69088->69092 69089->69084 69090->69089 69091->69089 69092->69089 69094 921eef9 69093->69094 69095 921ef1c 69094->69095 69096 6b048c0 12 API calls 69094->69096 69097 6b03cb8 12 API calls 69094->69097 69098 6b03ca8 12 API calls 69094->69098 69095->69084 69096->69095 69097->69095 69098->69095 69100 6b0648d 69099->69100 69102 6b064ab 69099->69102 69101 6b04bd0 4 API calls 69100->69101 69100->69102 69101->69102 69103 6b04bd0 4 API calls 69102->69103 69104 6b065e4 69102->69104 69103->69104 69104->68978 69106 99607b4 69105->69106 69106->68994 69108 99607b4 69107->69108 69108->68994 69112 9b37539 69109->69112 69110 9b37573 69110->68911 69112->69110 69117 9b35c3c 69112->69117 69115 9b37539 69113->69115 69114 9b37573 69114->68911 69115->69114 69116 9b35c3c 2 API calls 69115->69116 69116->69115 69118 9b35c47 69117->69118 69121 9b382d1 69118->69121 69125 9b38300 69121->69125 69132 9b3840a 69121->69132 69122 9b382cc 69122->69112 69126 9b38325 69125->69126 69137 9b3772c 69126->69137 69128 9b38335 69129 9b38339 69128->69129 69141 996050a 69128->69141 69145 9960518 69128->69145 69129->69122 69129->69129 69133 9b383f5 69132->69133 69134 9b383e5 69132->69134 69134->69133 69135 996050a KiUserCallbackDispatcher 69134->69135 69136 9960518 KiUserCallbackDispatcher 69134->69136 69135->69133 69136->69133 69138 9b37737 69137->69138 69139 9b384a1 GetCurrentThreadId 69138->69139 69140 9b384cb 69138->69140 69139->69140 69140->69128 69142 9960540 69141->69142 69143 996058f 69142->69143 69149 9960669 69142->69149 69146 9960540 69145->69146 69147 996058f 69146->69147 69148 9960669 KiUserCallbackDispatcher 69146->69148 69148->69147 69150 9960685 69149->69150 69151 9960681 KiUserCallbackDispatcher 69149->69151 69150->69143 69151->69150 69152 921f8b2 69153 921f8b8 SendMessageW 69152->69153 69155 921f93e 69153->69155 69156 9b34ea0 69157 9b34ede 69156->69157 69158 9b34ee8 GetProcessWindowStation 69157->69158 69159 9b34f10 69157->69159 69158->69159 69577 9b35d60 69578 9b35da4 69577->69578 69579 9b35dae EnumThreadWindows 69577->69579 69578->69579 69580 9b35de0 69579->69580 69160 996b580 69162 996b594 69160->69162 69161 996b5b1 69162->69161 69163 6b04bd0 4 API calls 69162->69163 69164 6b04bc0 4 API calls 69162->69164 69163->69162 69164->69162 69581 9964740 69585 9964768 69581->69585 69589 9964778 69581->69589 69582 9964765 69586 996478c 69585->69586 69593 99647a0 69585->69593 69596 9964791 69585->69596 69586->69582 69591 99647a0 KiUserCallbackDispatcher 69589->69591 69592 9964791 KiUserCallbackDispatcher 69589->69592 69590 996478c 69590->69582 69591->69590 69592->69590 69594 99647de 69593->69594 69599 9964879 69593->69599 69594->69586 69598 9964879 KiUserCallbackDispatcher 69596->69598 69597 99647de 69597->69586 69598->69597 69600 99648a4 69599->69600 69604 7eaaec0 69600->69604 69609 7eaaeb2 69600->69609 69601 99648ba 69601->69594 69606 7ea9afe KiUserCallbackDispatcher 69604->69606 69607 7ea9b00 KiUserCallbackDispatcher 69604->69607 69608 7ea9af0 KiUserCallbackDispatcher 69604->69608 69605 7eaaed7 69605->69601 69606->69605 69607->69605 69608->69605 69610 7eaaeba 69609->69610 69611 7eaaed7 69610->69611 69612 7ea9afe KiUserCallbackDispatcher 69610->69612 69613 7ea9b00 KiUserCallbackDispatcher 69610->69613 69614 7ea9af0 KiUserCallbackDispatcher 69610->69614 69611->69601 69612->69611 69613->69611 69614->69611 69615 1c2db18 69616 1c2db5e GetCurrentProcess 69615->69616 69618 1c2dbb0 GetCurrentThread 69616->69618 69619 1c2dba9 69616->69619 69620 1c2dbe6 69618->69620 69621 1c2dbed GetCurrentProcess 69618->69621 69619->69618 69620->69621 69622 1c2dc23 GetCurrentThreadId 69621->69622 69624 1c2dc7c 69622->69624 69165 9b361a8 69166 9b361ed MessageBoxW 69165->69166 69168 9b36234 69166->69168 69169 921ae00 69170 921ae19 69169->69170 69173 921aea0 69170->69173 69171 921ae5e 69174 921aeb7 69173->69174 69178 921af84 69174->69178 69182 921af90 69174->69182 69175 921aefc 69175->69171 69179 921af90 KiUserCallbackDispatcher 69178->69179 69181 921b042 69179->69181 69181->69175 69183 921afeb KiUserCallbackDispatcher 69182->69183 69185 921b042 69183->69185 69185->69175 69625 921d7c0 69626 921d7d1 69625->69626 69627 921d80b 69626->69627 69629 921ce74 69626->69629 69631 921ce7f 69629->69631 69630 921d885 69630->69626 69631->69630 69633 921ce94 69631->69633 69635 921ce9f 69633->69635 69634 921d9c1 69634->69631 69635->69634 69638 921dc0a 69635->69638 69642 921dc18 69635->69642 69639 921dc2f 69638->69639 69640 921cfd4 PostMessageW 69639->69640 69641 921dd5e 69639->69641 69640->69641 69641->69635 69644 921dc2f 69642->69644 69643 921dd5e 69643->69635 69644->69643 69645 921cfd4 PostMessageW 69644->69645 69645->69643 69646 9218ac0 69647 9218b02 69646->69647 69648 9218b08 SetWindowTextW 69646->69648 69647->69648 69649 9218b39 69648->69649 69186 1c2dd60 DuplicateHandle 69187 1c2ddf6 69186->69187 69188 6b0e798 69189 6b0e7bd 69188->69189 69199 6b0dd1c 69189->69199 69191 6b0ebcf 69192 6b0e7c6 69192->69191 69203 7eab9d0 69192->69203 69210 7eab9c1 69192->69210 69217 7eacab0 69192->69217 69221 7eacaa1 69192->69221 69225 7ea8898 69192->69225 69230 7ea888a 69192->69230 69200 6b0dd27 69199->69200 69235 6b0dd7c 69200->69235 69202 6b0f0c7 69202->69192 69204 7eab9fb 69203->69204 69205 7eab9f4 69203->69205 69209 7eaba22 69204->69209 69312 7ea7b04 69204->69312 69205->69192 69208 7ea7b04 GetCurrentThreadId 69208->69209 69209->69192 69211 7eab9f4 69210->69211 69212 7eab9fb 69210->69212 69211->69192 69213 7ea7b04 GetCurrentThreadId 69212->69213 69216 7eaba22 69212->69216 69214 7eaba18 69213->69214 69215 7ea7b04 GetCurrentThreadId 69214->69215 69215->69216 69216->69192 69218 7eacac1 69217->69218 69219 7eacb29 69218->69219 69220 7ea8898 KiUserCallbackDispatcher 69218->69220 69219->69192 69220->69218 69224 7eacac1 69221->69224 69222 7eacb29 69222->69192 69223 7ea8898 KiUserCallbackDispatcher 69223->69224 69224->69222 69224->69223 69227 7ea88cf 69225->69227 69226 7ea8a28 69226->69192 69227->69226 69316 7ea8c27 69227->69316 69320 7ea8c38 69227->69320 69232 7ea888f 69230->69232 69231 7ea8a28 69231->69192 69232->69231 69233 7ea8c38 KiUserCallbackDispatcher 69232->69233 69234 7ea8c27 KiUserCallbackDispatcher 69232->69234 69233->69231 69234->69231 69236 6b0dd87 69235->69236 69237 6b0f152 69236->69237 69240 1c27bbc 69236->69240 69247 1c28ce0 69236->69247 69237->69202 69241 1c27bc7 69240->69241 69243 1c28fa3 69241->69243 69254 1c2b650 69241->69254 69242 1c28fe1 69242->69237 69243->69242 69260 1c2d721 69243->69260 69265 1c2d730 69243->69265 69248 1c28d1b 69247->69248 69250 1c28fa3 69248->69250 69253 1c2b650 GetModuleHandleW 69248->69253 69249 1c28fe1 69249->69237 69250->69249 69251 1c2d730 7 API calls 69250->69251 69252 1c2d721 7 API calls 69250->69252 69251->69249 69252->69249 69253->69250 69255 1c2b653 69254->69255 69257 1c2b613 69254->69257 69255->69257 69270 1c2b688 69255->69270 69273 1c2b67b 69255->69273 69256 1c2b666 69256->69243 69257->69243 69261 1c2d751 69260->69261 69262 1c2d775 69261->69262 69281 1c2da00 69261->69281 69285 1c2d9f0 69261->69285 69262->69242 69266 1c2d751 69265->69266 69267 1c2d775 69266->69267 69268 1c2d9f0 7 API calls 69266->69268 69269 1c2da00 7 API calls 69266->69269 69267->69242 69268->69267 69269->69267 69276 1c2b770 69270->69276 69271 1c2b697 69271->69256 69274 1c2b697 69273->69274 69275 1c2b770 GetModuleHandleW 69273->69275 69274->69256 69275->69274 69277 1c2b73b 69276->69277 69277->69276 69278 1c2b7b4 69277->69278 69279 1c2b9b8 GetModuleHandleW 69277->69279 69278->69271 69280 1c2b9e5 69279->69280 69280->69271 69282 1c2da0d 69281->69282 69283 1c2da47 69282->69283 69289 1c2bd08 69282->69289 69283->69262 69286 1c2da0d 69285->69286 69287 1c2da47 69286->69287 69288 1c2bd08 7 API calls 69286->69288 69287->69262 69288->69287 69291 1c2bd13 69289->69291 69290 1c2e760 69291->69290 69293 1c2bdec 69291->69293 69294 1c2bdf7 69293->69294 69295 1c27bbc 7 API calls 69294->69295 69296 1c2e7cf 69295->69296 69302 1c2e848 69296->69302 69297 1c2e7de 69300 6b005b8 CreateWindowExW PostMessageW SetTimer SetTimer 69297->69300 69301 6b00588 CreateWindowExW PostMessageW SetTimer SetTimer 69297->69301 69298 1c2e809 69298->69290 69300->69298 69301->69298 69303 1c2e876 69302->69303 69305 1c2e89f 69303->69305 69308 1c2e947 69303->69308 69311 1c2e1d8 GetFocus 69303->69311 69305->69308 69309 6b04bd0 4 API calls 69305->69309 69310 6b04bc0 4 API calls 69305->69310 69306 1c2e8ee 69307 1c2e942 KiUserCallbackDispatcher 69306->69307 69307->69308 69309->69306 69310->69306 69311->69305 69313 7ea7b0f 69312->69313 69314 7eabd3f GetCurrentThreadId 69313->69314 69315 7eaba18 69313->69315 69314->69315 69315->69208 69317 7ea8c2f 69316->69317 69324 7ea7924 69317->69324 69321 7ea8c46 69320->69321 69322 7ea7924 KiUserCallbackDispatcher 69321->69322 69323 7ea8c4f 69322->69323 69323->69226 69325 7ea792f 69324->69325 69326 7ea8c4f 69325->69326 69330 7ea9af0 69325->69330 69340 7ea9afe 69325->69340 69349 7ea9b00 69325->69349 69326->69226 69331 7ea9afe KiUserCallbackDispatcher 69330->69331 69332 7ea9af7 69331->69332 69333 7ea9ba0 69332->69333 69358 99650ca 69332->69358 69363 99650d8 69332->69363 69368 7ea9bb0 69332->69368 69372 7ea9c20 69332->69372 69376 7ea9bc0 69332->69376 69333->69326 69334 7ea9b6a 69334->69326 69341 7ea9b19 69340->69341 69342 7ea9ba0 69341->69342 69344 7ea9bc0 KiUserCallbackDispatcher 69341->69344 69345 7ea9bb0 KiUserCallbackDispatcher 69341->69345 69346 7ea9c20 KiUserCallbackDispatcher 69341->69346 69347 99650ca KiUserCallbackDispatcher 69341->69347 69348 99650d8 KiUserCallbackDispatcher 69341->69348 69342->69326 69343 7ea9b6a 69343->69326 69344->69343 69345->69343 69346->69343 69347->69343 69348->69343 69350 7ea9b19 69349->69350 69352 7ea9ba0 69350->69352 69353 7ea9bc0 KiUserCallbackDispatcher 69350->69353 69354 7ea9bb0 KiUserCallbackDispatcher 69350->69354 69355 7ea9c20 KiUserCallbackDispatcher 69350->69355 69356 99650ca KiUserCallbackDispatcher 69350->69356 69357 99650d8 KiUserCallbackDispatcher 69350->69357 69351 7ea9b6a 69351->69326 69352->69326 69353->69351 69354->69351 69355->69351 69356->69351 69357->69351 69359 99650ff 69358->69359 69361 996531d 69359->69361 69362 7ea9c20 KiUserCallbackDispatcher 69359->69362 69360 9965351 69360->69334 69361->69334 69362->69360 69364 99650ff 69363->69364 69366 996531d 69364->69366 69367 7ea9c20 KiUserCallbackDispatcher 69364->69367 69365 9965351 69365->69334 69366->69334 69367->69365 69369 7ea9bbf 69368->69369 69371 7ea9c20 KiUserCallbackDispatcher 69369->69371 69370 7ea9c19 69370->69334 69371->69370 69373 7ea9c27 69372->69373 69374 7ea9ce6 69373->69374 69375 7ea9d71 KiUserCallbackDispatcher 69373->69375 69375->69374 69377 7ea9bd6 69376->69377 69379 7ea9c20 KiUserCallbackDispatcher 69377->69379 69378 7ea9c19 69378->69334 69379->69378 69650 6b04a58 69651 6b04a68 69650->69651 69654 996de92 12 API calls 69651->69654 69655 6b06484 4 API calls 69651->69655 69662 996dda2 69651->69662 69666 9218ef8 69651->69666 69678 996de18 69651->69678 69682 996b8e0 69651->69682 69686 9218f08 69651->69686 69698 996ddb0 69651->69698 69702 996b8f0 69651->69702 69652 6b04a91 69654->69652 69655->69652 69663 996ddd2 69662->69663 69664 996ddb3 69662->69664 69663->69652 69664->69663 69665 6b06484 4 API calls 69664->69665 69665->69664 69667 9218f0f 69666->69667 69668 9215654 OleInitialize 69667->69668 69669 9218f1f 69668->69669 69670 9218f60 69669->69670 69671 9218f23 69669->69671 69731 9219018 69670->69731 69735 9219028 69670->69735 69706 6b061c8 69671->69706 69719 6b061d8 69671->69719 69672 9218f2c 69672->69652 69673 9218fc4 69673->69652 69680 996ddb3 69678->69680 69679 996ddd2 69679->69652 69680->69679 69681 6b06484 4 API calls 69680->69681 69681->69680 69683 996b925 69682->69683 69685 6b06484 4 API calls 69683->69685 69684 996b97a 69684->69652 69685->69684 69687 9218f0f 69686->69687 69688 9215654 OleInitialize 69687->69688 69689 9218f1f 69688->69689 69690 9218f23 69689->69690 69692 9218f60 69689->69692 69696 6b061d8 4 API calls 69690->69696 69697 6b061c8 4 API calls 69690->69697 69691 9218f2c 69691->69652 69694 9219028 SendMessageW 69692->69694 69695 9219018 SendMessageW 69692->69695 69693 9218fc4 69693->69652 69694->69693 69695->69693 69696->69691 69697->69691 69699 996ddb3 69698->69699 69700 996ddd2 69699->69700 69701 6b06484 4 API calls 69699->69701 69700->69652 69701->69699 69703 996b925 69702->69703 69705 6b06484 4 API calls 69703->69705 69704 996b97a 69704->69652 69705->69704 69712 6b061d2 69706->69712 69707 6b0617b 69709 6b0643c 69710 6b04bd0 4 API calls 69709->69710 69711 6b065e4 69709->69711 69710->69711 69711->69672 69712->69707 69712->69709 69739 6b05a90 CreateWindowExW PostMessageW SetTimer SetTimer 69712->69739 69713 6b062bd 69714 6b04bd0 4 API calls 69713->69714 69716 6b06365 69713->69716 69715 6b0632f 69714->69715 69717 6b04bd0 4 API calls 69715->69717 69718 6b04bd0 4 API calls 69716->69718 69717->69716 69718->69709 69723 6b061d9 69719->69723 69721 6b04bd0 4 API calls 69722 6b065e4 69721->69722 69722->69672 69729 6b0643c 69723->69729 69740 6b05a90 CreateWindowExW PostMessageW SetTimer SetTimer 69723->69740 69724 6b062bd 69725 6b04bd0 4 API calls 69724->69725 69730 6b06365 69724->69730 69726 6b0632f 69725->69726 69727 6b04bd0 4 API calls 69726->69727 69727->69730 69728 6b04bd0 4 API calls 69728->69729 69729->69721 69729->69722 69730->69728 69732 9219038 69731->69732 69741 921708c 69732->69741 69736 9219038 69735->69736 69737 921708c SendMessageW 69736->69737 69738 9219049 69737->69738 69738->69673 69739->69713 69740->69724 69742 9219060 SendMessageW 69741->69742 69743 9219049 69742->69743 69743->69673 69380 9215888 69381 921588f 69380->69381 69384 92155ec 69381->69384 69383 92158c1 69385 92155f7 69384->69385 69388 9215654 69385->69388 69389 921565f 69388->69389 69391 921594d 69389->69391 69392 9215664 69389->69392 69391->69383 69393 9215af8 OleInitialize 69392->69393 69394 9215b5c 69393->69394 69394->69391 69744 996d178 69745 996d136 69744->69745 69746 996d186 69744->69746 69749 921708c SendMessageW 69745->69749 69750 921905a SendMessageW 69745->69750 69747 996d171 69749->69747 69751 92190cc 69750->69751 69751->69747 69395 9b3ae00 69396 9b3ae18 69395->69396 69399 9b3a5ac 69396->69399 69400 9b3a5b7 69399->69400 69404 1c27b2c 69400->69404 69408 1c27f6f 69400->69408 69401 9b3ae47 69405 1c27b37 69404->69405 69412 1c27b5c 69405->69412 69407 1c28005 69407->69401 69409 1c27fa1 69408->69409 69410 1c27b5c 7 API calls 69409->69410 69411 1c28005 69410->69411 69411->69401 69413 1c27b67 69412->69413 69416 1c27b8c 69413->69416 69415 1c280e2 69415->69407 69417 1c27b97 69416->69417 69418 1c27bbc 7 API calls 69417->69418 69419 1c281e5 69418->69419 69419->69415 69420 6b00185 69421 6b00190 69420->69421 69424 996e460 69420->69424 69429 996e450 69420->69429 69426 996e472 69424->69426 69425 996e4ae 69425->69421 69426->69425 69435 996e5b7 69426->69435 69440 996e5c8 69426->69440 69431 996e3cb 69429->69431 69432 996e45b 69429->69432 69430 996e4ae 69430->69421 69431->69421 69432->69430 69433 996e5b7 2 API calls 69432->69433 69434 996e5c8 2 API calls 69432->69434 69433->69430 69434->69430 69436 996e5bb 69435->69436 69437 996e553 69435->69437 69436->69437 69445 18bd6c0 69436->69445 69450 18bd6cf 69436->69450 69437->69425 69441 996e5eb 69440->69441 69442 996e720 69441->69442 69443 18bd6cf 2 API calls 69441->69443 69444 18bd6c0 2 API calls 69441->69444 69442->69425 69443->69442 69444->69442 69446 18bd6cf 69445->69446 69447 18bd716 69446->69447 69455 9b30ebf 69446->69455 69459 9b30ed0 69446->69459 69447->69437 69451 18bd6f8 69450->69451 69452 18bd716 69451->69452 69453 9b30ed0 2 API calls 69451->69453 69454 9b30ebf 2 API calls 69451->69454 69452->69437 69453->69451 69454->69451 69456 9b30ee1 69455->69456 69457 9b30f20 69456->69457 69463 9b34a35 69456->69463 69457->69446 69461 9b30ee1 69459->69461 69460 9b30f20 69460->69446 69461->69460 69462 9b34a35 2 API calls 69461->69462 69462->69460 69464 9b34a54 69463->69464 69467 9b34b73 69463->69467 69465 9b34ad5 GetActiveWindow 69464->69465 69466 9b34b03 69464->69466 69464->69467 69465->69466 69466->69467 69470 9b3509b 69466->69470 69474 9b350a0 69466->69474 69471 9b350a8 69470->69471 69473 9b350b3 69471->69473 69478 9b35136 69471->69478 69473->69467 69475 9b350a8 69474->69475 69476 9b350b3 69475->69476 69477 9b35136 GetCurrentThreadId 69475->69477 69476->69467 69477->69476 69481 9b34438 69478->69481 69482 9b34443 69481->69482 69485 9b35c68 69482->69485 69483 9b35143 69483->69473 69486 9b35cbf GetCurrentThreadId 69485->69486 69488 9b35d05 69486->69488 69488->69483 69489 99658a0 69490 99658b2 69489->69490 69494 99658f8 69489->69494 69490->69494 69495 9964ad0 69490->69495 69493 9964ae0 SetTimer 69493->69494 69496 9964adb 69495->69496 69497 99658bf 69496->69497 69498 6b01410 CreateWindowExW 69496->69498 69499 6b01400 CreateWindowExW 69496->69499 69497->69493 69497->69494 69498->69497 69499->69497 69500 921b498 69501 921b4b1 69500->69501 69502 921aea0 2 API calls 69501->69502 69503 921b53c 69501->69503 69502->69503

                                                                                                                                    Executed Functions

                                                                                                                                    Function 06B07DC8 Relevance: 10.7, Strings: 8, Instructions: 716COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: "$&$)$,$-$.$W$\
                                                                                                                                    • API String ID: 0-274362971
                                                                                                                                    • Opcode ID: 12551386e929bcf78720d7bdbf12c626914dcc2a34d3d2cc22eb0118205174d4
                                                                                                                                    • Instruction ID: 87a88b21e9b15a56310093a47fac75b7293ac3fd22a5ea8dad0c9197739d3fcb
                                                                                                                                    • Opcode Fuzzy Hash: 12551386e929bcf78720d7bdbf12c626914dcc2a34d3d2cc22eb0118205174d4
                                                                                                                                    • Instruction Fuzzy Hash: 98723534600A44CFDB55DB64C858EA9BBB2FF89301F1584E8E51A9B3B1DF31A986CF40
                                                                                                                                    Function 06B07DD8 Relevance: 10.7, Strings: 8, Instructions: 713COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: "$&$)$,$-$.$W$\
                                                                                                                                    • API String ID: 0-274362971
                                                                                                                                    • Opcode ID: 8dd80113dcfab7ff58af1fd4bc057157da64f66ae9c1c49d92660be68138f87d
                                                                                                                                    • Instruction ID: ba37704064d66020bdcf9c35d71827165cd45e537aa1cb6f81eff28b9613a6f3
                                                                                                                                    • Opcode Fuzzy Hash: 8dd80113dcfab7ff58af1fd4bc057157da64f66ae9c1c49d92660be68138f87d
                                                                                                                                    • Instruction Fuzzy Hash: 2F623634600A44CFDB55DB64C858EA9BBB2FF89301F1584E8E51A9B3B1DF31A986DF40
                                                                                                                                    Function 06B07DD6 Relevance: 10.7, Strings: 8, Instructions: 712COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: "$&$)$,$-$.$W$\
                                                                                                                                    • API String ID: 0-274362971
                                                                                                                                    • Opcode ID: 33d90715ff2edbf719f4400e97b1bf0bc15c841c0d4e1e6a44c6e91f0f6b7802
                                                                                                                                    • Instruction ID: 8dbf2c3be15fd5fa21aba220aaa0868c13473f21e405547fafaa5c9ae6434068
                                                                                                                                    • Opcode Fuzzy Hash: 33d90715ff2edbf719f4400e97b1bf0bc15c841c0d4e1e6a44c6e91f0f6b7802
                                                                                                                                    • Instruction Fuzzy Hash: F1624534600A44CFDB55DB64C858EA9BBB2FF89301F1584E8E51A9B3B1DF31A986CF40
                                                                                                                                    Function 09219F90 Relevance: 2.9, Strings: 2, Instructions: 374COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 976 9219f90-921a00b 981 921a011-921a033 976->981 982 921a108-921a10e 976->982 995 921a035-921a03d 981->995 996 921a04c-921a054 981->996 983 921a062-921a06a 982->983 984 921a114-921a140 982->984 986 921a075-921a077 983->986 987 921a06c-921a073 983->987 993 921a147-921a19d 984->993 990 921a079 986->990 991 921a07e-921a084 986->991 987->986 989 921a08a-921a090 987->989 990->991 991->989 991->993 1001 921a1a5-921a1fc 993->1001 995->996 997 921a093-921a097 996->997 998 921a056-921a05c 996->998 1002 921a099-921a0a9 997->1002 1003 921a0ab-921a0b1 997->1003 998->983 998->1001 1004 921a203-921a25a 1001->1004 1002->1003 1010 921a0b9-921a0c3 1002->1010 1003->1004 1005 921a0b7 1003->1005 1027 921a261-921a2b7 1004->1027 1005->983 1069 921a0c6 call 921a878 1010->1069 1070 921a0c6 call 921a86d 1010->1070 1015 921a0cc-921a0d0 1017 921a0d2-921a0dd 1015->1017 1018 921a0df-921a0fd 1015->1018 1017->983 1018->1027 1028 921a103 1018->1028 1043 921a2b8 1027->1043 1028->983 1044 921a2d3-921a318 1043->1044 1045 921a2ba-921a2c9 1043->1045 1044->1043 1052 921a31a-921a3c7 1044->1052 1045->1044 1056 921a3d0-921a42a 1052->1056 1057 921a3c9-921a3cf 1052->1057 1063 921a434-921a438 1056->1063 1064 921a42c 1056->1064 1057->1056 1065 921a448 1063->1065 1066 921a43a-921a43e 1063->1066 1064->1063 1068 921a449 1065->1068 1066->1065 1067 921a440 1066->1067 1067->1065 1068->1068 1069->1015 1070->1015
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hmq$Hmq
                                                                                                                                    • API String ID: 0-2783791011
                                                                                                                                    • Opcode ID: 2a89e97e3612dda1507c0ff447f12d033462a03150267e2d786de91bbd212997
                                                                                                                                    • Instruction ID: 1babc8ce50b7fd793984e8fbaa220e190cbdd056d85bee0fb17dfb4cea8e732a
                                                                                                                                    • Opcode Fuzzy Hash: 2a89e97e3612dda1507c0ff447f12d033462a03150267e2d786de91bbd212997
                                                                                                                                    • Instruction Fuzzy Hash: 61E1A270A012589FCB05DFA9C994A9E7FF6FF99300F148069E409EB3A5DB309D46CB91
                                                                                                                                    Function 09212A98 Relevance: 2.8, Strings: 2, Instructions: 321COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1167 9212a98-9212ac3 1168 9212acd-9212ad8 call 9211fb0 1167->1168 1170 9212add-9212bf4 1168->1170 1179 9212bfc 1170->1179 1180 9212c01-9212c16 1179->1180 1181 9212f93-9212f9a 1180->1181 1182 9212c1c 1180->1182 1182->1179 1182->1181 1183 9212ee1-9212f23 1182->1183 1184 9212c23-9212c36 1182->1184 1185 9212ec3-9212edc 1182->1185 1186 9212ca2-9212cbd 1182->1186 1187 9212cc2-9212cf0 1182->1187 1188 9212dc5-9212e0a 1182->1188 1189 9212f28-9212f3a call 9211fc0 1182->1189 1190 9212e8c-9212ebe 1182->1190 1191 9212e0f-9212e54 1182->1191 1192 9212c53-9212c7b 1182->1192 1193 9212cf5-9212d52 1182->1193 1194 9212d57-9212dc0 1182->1194 1195 9212e59-9212e87 1182->1195 1196 9212c38-9212c51 1182->1196 1197 9212f5d-9212f77 1182->1197 1198 9212c7d-9212c9d 1182->1198 1199 9212f7c-9212f8e call 9211fd0 1182->1199 1200 9212f3f-9212f58 1182->1200 1183->1180 1184->1180 1185->1180 1186->1180 1187->1180 1188->1180 1189->1180 1190->1180 1191->1180 1192->1180 1193->1180 1194->1180 1195->1180 1196->1180 1197->1180 1198->1180 1199->1180 1200->1180
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: #$#
                                                                                                                                    • API String ID: 0-2529538431
                                                                                                                                    • Opcode ID: e0392493d0cb14b2320e3801799a4d62429d767b258d22df4b461cfeefd99102
                                                                                                                                    • Instruction ID: acd396c776e606f4a9fd845a612932b8e6a2f88bba3bc9cc178e1566e2017b39
                                                                                                                                    • Opcode Fuzzy Hash: e0392493d0cb14b2320e3801799a4d62429d767b258d22df4b461cfeefd99102
                                                                                                                                    • Instruction Fuzzy Hash: E5D1D635A10210CFDB04CF64C980B99BBB2FF94304F15817AD909AF366DBB6E946CB41
                                                                                                                                    Function 09212AA8 Relevance: 2.8, Strings: 2, Instructions: 317COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 1232 9212aa8-9212ad8 call 9211fb0 1235 9212add-9212bf4 1232->1235 1244 9212bfc 1235->1244 1245 9212c01-9212c16 1244->1245 1246 9212f93-9212f9a 1245->1246 1247 9212c1c 1245->1247 1247->1244 1247->1246 1248 9212ee1-9212f23 1247->1248 1249 9212c23-9212c36 1247->1249 1250 9212ec3-9212edc 1247->1250 1251 9212ca2-9212cbd 1247->1251 1252 9212cc2-9212cf0 1247->1252 1253 9212dc5-9212e0a 1247->1253 1254 9212f28-9212f3a call 9211fc0 1247->1254 1255 9212e8c-9212ebe 1247->1255 1256 9212e0f-9212e54 1247->1256 1257 9212c53-9212c7b 1247->1257 1258 9212cf5-9212d52 1247->1258 1259 9212d57-9212dc0 1247->1259 1260 9212e59-9212e87 1247->1260 1261 9212c38-9212c51 1247->1261 1262 9212f5d-9212f77 1247->1262 1263 9212c7d-9212c9d 1247->1263 1264 9212f7c-9212f8e call 9211fd0 1247->1264 1265 9212f3f-9212f58 1247->1265 1248->1245 1249->1245 1250->1245 1251->1245 1252->1245 1253->1245 1254->1245 1255->1245 1256->1245 1257->1245 1258->1245 1259->1245 1260->1245 1261->1245 1262->1245 1263->1245 1264->1245 1265->1245
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: #$#
                                                                                                                                    • API String ID: 0-2529538431
                                                                                                                                    • Opcode ID: 335129407d2d6e9d7fa094ffa7066054791a9dd27be550765dce151b20bef5f2
                                                                                                                                    • Instruction ID: c859ebb4276ceaa638e5b53a0b93352a5155f9e1a60a75ab7e2c12b961d5bb8a
                                                                                                                                    • Opcode Fuzzy Hash: 335129407d2d6e9d7fa094ffa7066054791a9dd27be550765dce151b20bef5f2
                                                                                                                                    • Instruction Fuzzy Hash: 91D1C531A10215CFDB04CF68C980B9ABBB6FF94304F158179D909AF3A5DBB6E946CB41
                                                                                                                                    Function 06B0CDE3 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: #
                                                                                                                                    • API String ID: 0-1885708031
                                                                                                                                    • Opcode ID: 445d16890061b587ea50200da3534995025f194bd344215c5aa9b4e2ddce521f
                                                                                                                                    • Instruction ID: 3e959682bc7e0bd130fe1cbb8ef89457b3e70f3bdf7d99ff69bb77e3e953783d
                                                                                                                                    • Opcode Fuzzy Hash: 445d16890061b587ea50200da3534995025f194bd344215c5aa9b4e2ddce521f
                                                                                                                                    • Instruction Fuzzy Hash: B651E3B0911209DFEB40CF68D88479EFFB1FF88304F1496A9D404AB291D376D959CB91
                                                                                                                                    Function 06B0E788 Relevance: .3, Instructions: 282COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: dec6d758693be7e07a5d7e614fcfdef3e0ec4edae95b28d90873a7536f6094ba
                                                                                                                                    • Instruction ID: 68229c06be84900434eb5fda7847c5f89ad846685abf9f1cccf80d6e6542aadc
                                                                                                                                    • Opcode Fuzzy Hash: dec6d758693be7e07a5d7e614fcfdef3e0ec4edae95b28d90873a7536f6094ba
                                                                                                                                    • Instruction Fuzzy Hash: B2B1C375B055019FE798DBB4CA80A6ABFB2FF88300F0184B6D6069B3E1DA75DC01CB81
                                                                                                                                    Function 06B0E798 Relevance: .3, Instructions: 281COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c5a360bd45552219fa69f6ce34e969f7734890b48bf897a76cbaefd9ce8707a1
                                                                                                                                    • Instruction ID: 4e9b1f700b2bc915902fff1a11bed914e5e063e670caa63ae11680b5de1eeca7
                                                                                                                                    • Opcode Fuzzy Hash: c5a360bd45552219fa69f6ce34e969f7734890b48bf897a76cbaefd9ce8707a1
                                                                                                                                    • Instruction Fuzzy Hash: 62B1B275B055059FE798DBB4C980A6ABFB6FF88300F0084B6E6069B3E1DA75DC01CB81
                                                                                                                                    Function 01C2E40C Relevance: .3, Instructions: 264COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1963684057.0000000001C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_1c20000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9579bd56261ed894e580adeca4d87cdf9d1e6cb15094eef94ee069a164fd24e6
                                                                                                                                    • Instruction ID: 42f740eced9ba6f3567b2052b89cf9cd61b136cca34bcdc7ddc92dfb218a3285
                                                                                                                                    • Opcode Fuzzy Hash: 9579bd56261ed894e580adeca4d87cdf9d1e6cb15094eef94ee069a164fd24e6
                                                                                                                                    • Instruction Fuzzy Hash: CFA14D32A00229CFCF15DFB9C84499EBBB2FF95300B15456EE906BB265DB31E955CB80
                                                                                                                                    Function 06B09908 Relevance: .2, Instructions: 199COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 20c93bc5192acd734247a50399dcc0489e4e1e0914fdd63699236e1bcc37108b
                                                                                                                                    • Instruction ID: f5e165306e776d536d2b5544f1dfaf8db0e3a0095e0ff6b52c3b14ffc7bb4898
                                                                                                                                    • Opcode Fuzzy Hash: 20c93bc5192acd734247a50399dcc0489e4e1e0914fdd63699236e1bcc37108b
                                                                                                                                    • Instruction Fuzzy Hash: 5E913BB4D40209EFEB48DFA1E58198DBFB2FF88310F10D46AD116AB2A5D734A905CF40
                                                                                                                                    Function 06B09918 Relevance: .2, Instructions: 192COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a5f7dceda15c2eed426cf9bfc655160b4365cdfcf52ed94d7207ffd55cff22f7
                                                                                                                                    • Instruction ID: e34d2b3681c9e5da24bf45df4317d73f2d558e2dd72257d8c98c197eeb3fc9ad
                                                                                                                                    • Opcode Fuzzy Hash: a5f7dceda15c2eed426cf9bfc655160b4365cdfcf52ed94d7207ffd55cff22f7
                                                                                                                                    • Instruction Fuzzy Hash: 14911BB0D50609EFEB48DFA5E58198DBFF6FF88310F20D4669116AB2A5D734A905CF40
                                                                                                                                    Function 0921D978 Relevance: .2, Instructions: 168COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d6cd932e64e599f3c96687cbf542cbdf5c46f077f3685d3da38929db86cacf04
                                                                                                                                    • Instruction ID: 1560374e663177f47d26a15f72784219f60ddd3fd3f00ef70e5a937602674a4a
                                                                                                                                    • Opcode Fuzzy Hash: d6cd932e64e599f3c96687cbf542cbdf5c46f077f3685d3da38929db86cacf04
                                                                                                                                    • Instruction Fuzzy Hash: 6751B332728212CFC708DE38C540726BBA6FBA0344B10997BD4458B2D0DB75EA65CB81
                                                                                                                                    Function 0921CE94 Relevance: .2, Instructions: 168COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 56800223dea02cbd756bd3ba7f66a742e283279e538ae0570a0fd991d39b3c1d
                                                                                                                                    • Instruction ID: 1fd95684cdcd9faa6334bab755e80e0e37b64149cdcf990c91c2080eb38894ae
                                                                                                                                    • Opcode Fuzzy Hash: 56800223dea02cbd756bd3ba7f66a742e283279e538ae0570a0fd991d39b3c1d
                                                                                                                                    • Instruction Fuzzy Hash: B951A132728216CFD708DE38958072ABBA6FBA0344F50997BD4468B2D4DB75E9A1C781
                                                                                                                                    Function 06B0A239 Relevance: .2, Instructions: 151COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d2adb7327ef2a630a4efc89a2c6128ffb8ffeafc4abc33422586b434e240ec1e
                                                                                                                                    • Instruction ID: 3310e33d0f938c48ea67094f9b55bdd8952ca3b82c82f7a678f15ce73ee8999c
                                                                                                                                    • Opcode Fuzzy Hash: d2adb7327ef2a630a4efc89a2c6128ffb8ffeafc4abc33422586b434e240ec1e
                                                                                                                                    • Instruction Fuzzy Hash: 9A5195B4A0420B8FEB41CF64C6C199EBFB1FB84310F108A7695049B2E6D775D989CBD1
                                                                                                                                    Function 09B379A0 Relevance: .1, Instructions: 133COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c94fb2f3e43653773fa1720c82706357b994f0fe7409bb54f7ec4591c1712521
                                                                                                                                    • Instruction ID: 88aeed415540491815d4f6b5487ead10c0f07c7cfdd758dc7686a84997c824d0
                                                                                                                                    • Opcode Fuzzy Hash: c94fb2f3e43653773fa1720c82706357b994f0fe7409bb54f7ec4591c1712521
                                                                                                                                    • Instruction Fuzzy Hash: 9A419FB1B05206DFDB08DB74D894B6DB7A6FB84310F5085BAE1099B290DB35ED11CA91
                                                                                                                                    Function 09B3799C Relevance: .1, Instructions: 130COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 530abd92506ee00742e8528b1261e56e5052564c97d80691ac159b0f68b1f893
                                                                                                                                    • Instruction ID: 8a1e8014d0fe9417bb7376fba798402627dd8fc9d4397dedd6f8e31958124f85
                                                                                                                                    • Opcode Fuzzy Hash: 530abd92506ee00742e8528b1261e56e5052564c97d80691ac159b0f68b1f893
                                                                                                                                    • Instruction Fuzzy Hash: B241BDB1B05206DFDB08DF74C994B6DB7B6FB88310F5089BAE1099B290DB31AD11CB85
                                                                                                                                    Function 01C2DB18 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 861 1c2db18-1c2dba7 GetCurrentProcess 865 1c2dbb0-1c2dbe4 GetCurrentThread 861->865 866 1c2dba9-1c2dbaf 861->866 867 1c2dbe6-1c2dbec 865->867 868 1c2dbed-1c2dc21 GetCurrentProcess 865->868 866->865 867->868 869 1c2dc23-1c2dc29 868->869 870 1c2dc2a-1c2dc42 868->870 869->870 874 1c2dc4b-1c2dc7a GetCurrentThreadId 870->874 875 1c2dc83-1c2dce5 874->875 876 1c2dc7c-1c2dc82 874->876 876->875
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 01C2DB96
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 01C2DBD3
                                                                                                                                    • GetCurrentProcess.KERNEL32 ref: 01C2DC10
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 01C2DC69
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1963684057.0000000001C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_1c20000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Current$ProcessThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2063062207-0
                                                                                                                                    • Opcode ID: c66aca2bf40fdffb814ce1682691766bd0260e9c4adb28a54e5ddffae8e11788
                                                                                                                                    • Instruction ID: 1309b5081a2f9332f73b23c865f4da6e79c780ad1e3d71e48a53693728f51ad9
                                                                                                                                    • Opcode Fuzzy Hash: c66aca2bf40fdffb814ce1682691766bd0260e9c4adb28a54e5ddffae8e11788
                                                                                                                                    • Instruction Fuzzy Hash: E85134B0900249CFDB14DFA9D548BEEBFF1AF88314F208459E419A7360DB74A985CF65
                                                                                                                                    Function 09B34A35 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 882 9b34a35-9b34a4e 883 9b34cd3-9b34cff 882->883 884 9b34a54-9b34a58 882->884 887 9b34d06-9b34d44 883->887 885 9b34a66-9b34a6b 884->885 886 9b34a5a-9b34a60 884->886 888 9b34a79-9b34a7f 885->888 889 9b34a6d-9b34a73 885->889 886->885 886->887 891 9b34d4b-9b34d89 887->891 892 9b34a81-9b34a88 888->892 893 9b34a8f-9b34aa2 888->893 889->888 889->891 925 9b34d90-9b34e00 891->925 892->893 905 9b34aa4-9b34aa6 893->905 906 9b34aa8 893->906 908 9b34aad-9b34ac5 905->908 906->908 909 9b34ac7-9b34acd 908->909 910 9b34acf-9b34ad3 908->910 909->910 912 9b34b22-9b34b2f 909->912 913 9b34b16-9b34b1f 910->913 914 9b34ad5-9b34b01 GetActiveWindow 910->914 923 9b34b31-9b34b47 912->923 924 9b34b6d 912->924 913->912 916 9b34b03-9b34b09 914->916 917 9b34b0a-9b34b14 914->917 916->917 917->912 931 9b34b65-9b34b6a 923->931 932 9b34b49-9b34b5f 923->932 952 9b34b6d call 9b350a0 924->952 953 9b34b6d call 9b3509b 924->953 926 9b34b73-9b34bc1 call 9b343b8 950 9b34bc1 call 9b38580 926->950 951 9b34bc1 call 9b38570 926->951 931->924 932->925 932->931 944 9b34bc7-9b34bcf 944->883 950->944 951->944 952->926 953->926
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ActiveWindow
                                                                                                                                    • String ID: Hmq$Hmq
                                                                                                                                    • API String ID: 2558294473-2783791011
                                                                                                                                    • Opcode ID: 72a9bde8b278ebd577f2077ea972df316434e4d0b189914db85466f9a601e4a0
                                                                                                                                    • Instruction ID: ce6fe77a00de80dc8b146eebc346366c974d6b881dec0ec582001da16f42b980
                                                                                                                                    • Opcode Fuzzy Hash: 72a9bde8b278ebd577f2077ea972df316434e4d0b189914db85466f9a601e4a0
                                                                                                                                    • Instruction Fuzzy Hash: 4B61AF30F102199FCB49EFB894543AE7AE3FF98350F548468E506EB3A4DF3898468B55
                                                                                                                                    Function 06B03CB8 Relevance: 2.0, APIs: 1, Instructions: 508COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 6aea24ee7309e5d13c2719211763448b327333d3ab890b678e87334dfe5e1134
                                                                                                                                    • Instruction ID: 59217ce1a7d3d6f1517506065e30733bc8bca216cff38407efede1b6340d5b05
                                                                                                                                    • Opcode Fuzzy Hash: 6aea24ee7309e5d13c2719211763448b327333d3ab890b678e87334dfe5e1134
                                                                                                                                    • Instruction Fuzzy Hash: 5A223FB4E00206CFFB94DB58D5889AEBFF2EB85310F2485D6DA11972E5DB349C81CB91
                                                                                                                                    Function 01C2B770 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 01C2B9D6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1963684057.0000000001C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_1c20000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: a1f20c90cae9c2ab478f670e9be322ba2e07ee01e8ea59c0b3cfcdb46ae6f8c5
                                                                                                                                    • Instruction ID: 87bfd287740e01ebdee9bd88d5185f5da4bb99b170bf5a1840b423edf1a22b7c
                                                                                                                                    • Opcode Fuzzy Hash: a1f20c90cae9c2ab478f670e9be322ba2e07ee01e8ea59c0b3cfcdb46ae6f8c5
                                                                                                                                    • Instruction Fuzzy Hash: 048142B0A00B15CFDB25DF2AD04075ABBF1BF88300F108A2AD48AD7B51DB74E949CB90
                                                                                                                                    Function 07EA9C20 Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(00000014,?,?,045C4144,03637F14,?,00000000), ref: 07EA9D8E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1985298813.0000000007EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07EA0000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_7ea0000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                    • Opcode ID: 05fc842c84a3663edbc0ab415f275f87bcba2702e9a0e917aceb7d9451348b4d
                                                                                                                                    • Instruction ID: 2cb5acf57ec4602889530abf68413501330f1d8abe2d015b18e354feac5e3ec5
                                                                                                                                    • Opcode Fuzzy Hash: 05fc842c84a3663edbc0ab415f275f87bcba2702e9a0e917aceb7d9451348b4d
                                                                                                                                    • Instruction Fuzzy Hash: E2718174A01209EFCB15DF69D888D9DBBB2BF49724F115498F911AB362D731E881CB50
                                                                                                                                    Function 06B02324 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B02442
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                    • Opcode ID: b505827ad7abcfe3ec47a49ab630c0ad4b7bed1f0d31133ebc1ee416d03115be
                                                                                                                                    • Instruction ID: 9ed0d04feb06763ee165c70a66ec10c1155ebf616bdaf7942b49b6c2aa73261b
                                                                                                                                    • Opcode Fuzzy Hash: b505827ad7abcfe3ec47a49ab630c0ad4b7bed1f0d31133ebc1ee416d03115be
                                                                                                                                    • Instruction Fuzzy Hash: 5C51EFB1C00209EFEF15CF99C984ADEBFB1BF48310F24816AE518AB261D7719945CF90
                                                                                                                                    Function 06B02330 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06B02442
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 716092398-0
                                                                                                                                    • Opcode ID: 17d319b23a7f53aaaeaed7c3b5a7af5bc10310173b9a519d19ed22a138147f92
                                                                                                                                    • Instruction ID: de532cdecca7229e1fb36999fc97f86f1588791069421b4dbe32518f59fda48d
                                                                                                                                    • Opcode Fuzzy Hash: 17d319b23a7f53aaaeaed7c3b5a7af5bc10310173b9a519d19ed22a138147f92
                                                                                                                                    • Instruction Fuzzy Hash: 8541DFB1D00319AFEB14CF9AC884ADEBFB5FF48310F24816AE818AB250D7719945CF90
                                                                                                                                    Function 06B00464 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 06B049B1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallProcWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2714655100-0
                                                                                                                                    • Opcode ID: 90e67044b1d2e624b4c5ad042eb02b1fd1e6a97a33416a9e0b9c38e4f116d2e6
                                                                                                                                    • Instruction ID: 8c161a38bdfade363af0cc30fc1fe780a422f8a6dc9285e42bc0caa041fee7f4
                                                                                                                                    • Opcode Fuzzy Hash: 90e67044b1d2e624b4c5ad042eb02b1fd1e6a97a33416a9e0b9c38e4f116d2e6
                                                                                                                                    • Instruction Fuzzy Hash: 784129B4900305CFDB54CF99C548AAABFF5FB88314F24C599E559AB361D770A841CFA0
                                                                                                                                    Function 01C24800 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 01C26049
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1963684057.0000000001C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_1c20000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: 26cb30db56ba8a8c420147b9bb9bc80a0453051e8168d8080ac4356cb25497c5
                                                                                                                                    • Instruction ID: 20be4ac9474e6df6ee2db5f256f7c2651671c0f0bffcf349d035a201b7ee67ad
                                                                                                                                    • Opcode Fuzzy Hash: 26cb30db56ba8a8c420147b9bb9bc80a0453051e8168d8080ac4356cb25497c5
                                                                                                                                    • Instruction Fuzzy Hash: 0941C2B1C00729CFDB24DFA9C844B9EBBB5BF48304F24806AD508AB255DB756949CF90
                                                                                                                                    Function 01C25F8D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateActCtxA.KERNEL32(?), ref: 01C26049
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1963684057.0000000001C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_1c20000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Create
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                    • Opcode ID: 502e9a94f9f8c1e3d3b107c287aba9dc0c35931ef647c1f59a85628a4cbe236b
                                                                                                                                    • Instruction ID: df92f4765a718129d245d4b3659016cb89184297c7cfa3ec562ff9b0c11054c4
                                                                                                                                    • Opcode Fuzzy Hash: 502e9a94f9f8c1e3d3b107c287aba9dc0c35931ef647c1f59a85628a4cbe236b
                                                                                                                                    • Instruction Fuzzy Hash: 0841D2B1C00729CFDB24CFA9C984BCEBBB5BF49304F24805AD408AB255DB756949CF94
                                                                                                                                    Function 0921AF90 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(00000000,?,?), ref: 0921B030
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                    • Opcode ID: a9531a6e02b27bc836302806274058654fdcd0e5f5fd55a172c433fa98f7735b
                                                                                                                                    • Instruction ID: 46c410b12b509387bcb2d8696d1ec08fc27b62b0e6879f3177755a4c6051762a
                                                                                                                                    • Opcode Fuzzy Hash: a9531a6e02b27bc836302806274058654fdcd0e5f5fd55a172c433fa98f7735b
                                                                                                                                    • Instruction Fuzzy Hash: 863114B1D11259DFCB10CFAAD884ADEFFF4AF58310F24802AE419E7250DB31A945CB90
                                                                                                                                    Function 0921AF84 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(00000000,?,?), ref: 0921B030
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                    • Opcode ID: 6da475a4aa6a3fe25550e274a4d8cd1f0239490157c388684d4eeaef13a59412
                                                                                                                                    • Instruction ID: fe661b6a68003b05b1a9aae11c062d76fe0bb09be4966bef0f8399c0227e9f1a
                                                                                                                                    • Opcode Fuzzy Hash: 6da475a4aa6a3fe25550e274a4d8cd1f0239490157c388684d4eeaef13a59412
                                                                                                                                    • Instruction Fuzzy Hash: F63102B1D113599FDB14CFAAC884ADEBFF4AF58350F24802EE419E7250DB719985CBA0
                                                                                                                                    Function 09B34EA0 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetProcessWindowStation.USER32 ref: 09B34EFD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ProcessStationWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3348185895-0
                                                                                                                                    • Opcode ID: 9a2b93186c1609e5b4412ec62444f583a71eed4f37400927c6ccfe056f9cf524
                                                                                                                                    • Instruction ID: 5dc496c10440b9358e1886556506aa8ab7dd9d3972b8ee3eed3d5a95b40e1377
                                                                                                                                    • Opcode Fuzzy Hash: 9a2b93186c1609e5b4412ec62444f583a71eed4f37400927c6ccfe056f9cf524
                                                                                                                                    • Instruction Fuzzy Hash: 1021E470D002499FDB10CFA9C5487AEBFF9EB58320F18806AE409E7290D778A444CBE5
                                                                                                                                    Function 09218A92 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 09218B2A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: TextWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 530164218-0
                                                                                                                                    • Opcode ID: c2fb58c87eca5dbf80beade9ecec4c77afae85a342b1f080c8290fcdff9c4a84
                                                                                                                                    • Instruction ID: 292f55d2989ab8106b12ef1a93ee4ddfd79e0360ac5e191e859a86053441570a
                                                                                                                                    • Opcode Fuzzy Hash: c2fb58c87eca5dbf80beade9ecec4c77afae85a342b1f080c8290fcdff9c4a84
                                                                                                                                    • Instruction Fuzzy Hash: A82157B69043498FDB10CF9AC844BDEBFF4EB49310F15C06AE458A7251D378A649CFA5
                                                                                                                                    Function 09B34E9C Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetProcessWindowStation.USER32 ref: 09B34EFD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ProcessStationWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3348185895-0
                                                                                                                                    • Opcode ID: 6e4812053ef4a8e1d5b9014ac05ad204567c97709da5c9189f78eade9b8b0fe9
                                                                                                                                    • Instruction ID: 526914e742d1fbe8956202c266e1f3391cf698182ca55443e86ed082370ea485
                                                                                                                                    • Opcode Fuzzy Hash: 6e4812053ef4a8e1d5b9014ac05ad204567c97709da5c9189f78eade9b8b0fe9
                                                                                                                                    • Instruction Fuzzy Hash: 9E21D371D002498FDB10CFA9C5447AEFBF5EB58320F58806AE419E7290D778A544CFA5
                                                                                                                                    Function 09B35C68 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 09B35CF2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2882836952-0
                                                                                                                                    • Opcode ID: 6aec0d9033003202b973f6fa2a0b1b7e037854590bee6a87df1b322bbdddf90a
                                                                                                                                    • Instruction ID: 2922548783824203bb4256f56d518c924e29481f78e8f502e14b3b0d65a2ef2a
                                                                                                                                    • Opcode Fuzzy Hash: 6aec0d9033003202b973f6fa2a0b1b7e037854590bee6a87df1b322bbdddf90a
                                                                                                                                    • Instruction Fuzzy Hash: B12144B190024A8FCB10DF99C484A9EFBF0FB08324F10C56AE858AB311D374A945CFA1
                                                                                                                                    Function 01C2DD60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01C2DDE7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1963684057.0000000001C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_1c20000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DuplicateHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3793708945-0
                                                                                                                                    • Opcode ID: a349b660edb9993e988c72e0e04ae19ce1f5999f39ff27c58fec559cfa4fc6f1
                                                                                                                                    • Instruction ID: 92c5bba463fd0a19fc83710af9c8ff57fe1a8621f78ba885152715e3b2e71b12
                                                                                                                                    • Opcode Fuzzy Hash: a349b660edb9993e988c72e0e04ae19ce1f5999f39ff27c58fec559cfa4fc6f1
                                                                                                                                    • Instruction Fuzzy Hash: 2F21E4B5D00219DFDB10CF9AD984ADEBFF4EB48310F14801AE914A3310D374A940CFA5
                                                                                                                                    Function 09B35D60 Relevance: 1.6, APIs: 1, Instructions: 59threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumThreadWindows.USER32(?,00000000,?), ref: 09B35DD1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumThreadWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2941952884-0
                                                                                                                                    • Opcode ID: 21dc5b0be137226a6ae319347d64f5f7bda7d1f42891e937752c9dc0845ae1c7
                                                                                                                                    • Instruction ID: 67990d9da739403911ba4ff23ad6c2e1f348c3039b95020e34e5e781ceb92e8c
                                                                                                                                    • Opcode Fuzzy Hash: 21dc5b0be137226a6ae319347d64f5f7bda7d1f42891e937752c9dc0845ae1c7
                                                                                                                                    • Instruction Fuzzy Hash: 772138B1D102198FDB10CF9AC844BEFFBF4EB88320F14842AE458A3250D774A944CFA4
                                                                                                                                    Function 09B35D5C Relevance: 1.6, APIs: 1, Instructions: 58threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumThreadWindows.USER32(?,00000000,?), ref: 09B35DD1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumThreadWindows
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2941952884-0
                                                                                                                                    • Opcode ID: b8138ba2b74d7d847abff5f3d5517d9e60fd9e734010d24b129ab038a7231ec2
                                                                                                                                    • Instruction ID: b860f2a0fe9b436fe58db16699a0914427d7191b421c88157610624db63826c0
                                                                                                                                    • Opcode Fuzzy Hash: b8138ba2b74d7d847abff5f3d5517d9e60fd9e734010d24b129ab038a7231ec2
                                                                                                                                    • Instruction Fuzzy Hash: 68212971D102198FDB14CF99C544BEEFBF5FB48320F14846AD458A7650C778A945CF64
                                                                                                                                    Function 09B361A5 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • MessageBoxW.USER32(?,00000000,00000000,?), ref: 09B36225
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2030045667-0
                                                                                                                                    • Opcode ID: c17f997bcf37c6c130668a2611f8eb895391adf343d5266a390c5a28701ec076
                                                                                                                                    • Instruction ID: 03c507cf63b101b44dbece47f46d4e08496a842ec2ffbefd873bc7fa1ed94cc7
                                                                                                                                    • Opcode Fuzzy Hash: c17f997bcf37c6c130668a2611f8eb895391adf343d5266a390c5a28701ec076
                                                                                                                                    • Instruction Fuzzy Hash: 3D21EFB6900359DFCB14CF9AD884ADEFBB4FB88320F10856EE419A7210C375A944CBA0
                                                                                                                                    Function 0921F8B2 Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,000000FF), ref: 0921F92F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                    • Opcode ID: d08cfea3040c5aa9bf55376d460232a856effb839070f51d2e40fae3072f723e
                                                                                                                                    • Instruction ID: 1c5770c2d79778216b8e1b767b7d6370e6b7e61324df631c500c959ef80c4fcd
                                                                                                                                    • Opcode Fuzzy Hash: d08cfea3040c5aa9bf55376d460232a856effb839070f51d2e40fae3072f723e
                                                                                                                                    • Instruction Fuzzy Hash: EB21E2B5900319DFCB10CF9AD984ADEFBF8FB58310F10842AE558A7210D375A544CFA5
                                                                                                                                    Function 09B361A8 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • MessageBoxW.USER32(?,00000000,00000000,?), ref: 09B36225
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2030045667-0
                                                                                                                                    • Opcode ID: 36b7840189b8a26b35de53d07b4e24f3dd3e221096c83a0be8102f87acce3cac
                                                                                                                                    • Instruction ID: 467673658d396c85123b99afb22374d4a462826d547054e9c9ccddb3fc68fb35
                                                                                                                                    • Opcode Fuzzy Hash: 36b7840189b8a26b35de53d07b4e24f3dd3e221096c83a0be8102f87acce3cac
                                                                                                                                    • Instruction Fuzzy Hash: 9D21EFB6900359DFCB14CF9AD884ADEFBB5FB48320F50856EE819A7200C375A944CBA4
                                                                                                                                    Function 0921D214 Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,?,?,?,?,?,?,?,00000000,?,?,?,?,000000FF), ref: 0921F92F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                    • Opcode ID: 5a30643a4256430eddc4d51428855cc24e7b3c630edf63ee4c686adb910033e2
                                                                                                                                    • Instruction ID: c44dbdf89b656137539e0ad6b2e237beefaf32d43d6c1ee9029e111622838c6b
                                                                                                                                    • Opcode Fuzzy Hash: 5a30643a4256430eddc4d51428855cc24e7b3c630edf63ee4c686adb910033e2
                                                                                                                                    • Instruction Fuzzy Hash: 7321E2B5910319DFCB10DF9AD984ADEFBF4FB58310F50842AE958A7210D374A944CBA4
                                                                                                                                    Function 09218AC0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 09218B2A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: TextWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 530164218-0
                                                                                                                                    • Opcode ID: 8672d7f88b58b01b9f47a1843d9c79cfaf929cbf830ca1a18702f6cab024a573
                                                                                                                                    • Instruction ID: b4abb8e1285f67c523f6f794f3bed0f6b4c09492a9f9c4c0c6d02fb902378465
                                                                                                                                    • Opcode Fuzzy Hash: 8672d7f88b58b01b9f47a1843d9c79cfaf929cbf830ca1a18702f6cab024a573
                                                                                                                                    • Instruction Fuzzy Hash: E21126B6C002098FDB10CF9AC844BDEFBF4EB48320F10C02AE859A7240D378A645CFA5
                                                                                                                                    Function 09960740 Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 099607A5
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                    • Opcode ID: 1ff0a3aa0f8919406a2d3047a41b2c9b85c50a1894652a3227c60dd684e5cb2e
                                                                                                                                    • Instruction ID: 6703408ec8d5ca44d2ec7401dfdbb526bc8894856e97eb42643705b289bb372e
                                                                                                                                    • Opcode Fuzzy Hash: 1ff0a3aa0f8919406a2d3047a41b2c9b85c50a1894652a3227c60dd684e5cb2e
                                                                                                                                    • Instruction Fuzzy Hash: BD1116B5800349DFDB10CF9AC885BEEBFF8EB48310F10845AE955A3251C378A684CFA1
                                                                                                                                    Function 0921F2F0 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,?,?,?,?,?,?,?,0921F2E1,?,?,00000000), ref: 0921F355
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                    • Opcode ID: 2b155a67c8ce4f745ddd6b0c4e8083503bb1eef2d9514bd20b3e8922d146d3a7
                                                                                                                                    • Instruction ID: dfb5d093775d616cbacdad5454ef81e702fe57669e1994ad1900f3a49f73c8b0
                                                                                                                                    • Opcode Fuzzy Hash: 2b155a67c8ce4f745ddd6b0c4e8083503bb1eef2d9514bd20b3e8922d146d3a7
                                                                                                                                    • Instruction Fuzzy Hash: 42110FB5800348DFCB10CF9AC984BDEBBF8FB48324F10841AE468A7610C375A940CFA5
                                                                                                                                    Function 09960748 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,?,?,?), ref: 099607A5
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                    • Opcode ID: 0f29c535ba12b3cf8e661d9ee408b66e345b97aa12ab4fd1ec2e12480e339290
                                                                                                                                    • Instruction ID: 241566b4f5074342e6f247b2c344cffe36ceaa0e01caafd5147c5a035e9ddfb3
                                                                                                                                    • Opcode Fuzzy Hash: 0f29c535ba12b3cf8e661d9ee408b66e345b97aa12ab4fd1ec2e12480e339290
                                                                                                                                    • Instruction Fuzzy Hash: C91106B5800349DFDB10CF9AC885BDEFBF8EB48320F10845AE954A3650D379A584CFA5
                                                                                                                                    Function 0921D178 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,?,?,?,?,?,?,?,0921F2E1,?,?,00000000), ref: 0921F355
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 410705778-0
                                                                                                                                    • Opcode ID: 07c700d4b21c94161d42c37444975858c498300bfbd276843471deccae8813db
                                                                                                                                    • Instruction ID: 2f7055e29d8665d38b24d06da99ee9ce5e496dbf5e514a542b94717021120792
                                                                                                                                    • Opcode Fuzzy Hash: 07c700d4b21c94161d42c37444975858c498300bfbd276843471deccae8813db
                                                                                                                                    • Instruction Fuzzy Hash: 851103B5800749DFDB10DF9AC988BDEFBF8EB58320F108419E568A7610C3B5A954CFA5
                                                                                                                                    Function 01C2B970 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 01C2B9D6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1963684057.0000000001C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 01C20000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_1c20000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleModule
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4139908857-0
                                                                                                                                    • Opcode ID: f988a48b6cd6b2b421feb2aa9f6588bb0c5a5fd6d46b1cce0f7981736d09aa0c
                                                                                                                                    • Instruction ID: 4759d226d283b55e0d74b5ba819d47a80e41873a2562a16809d732a8e9453d18
                                                                                                                                    • Opcode Fuzzy Hash: f988a48b6cd6b2b421feb2aa9f6588bb0c5a5fd6d46b1cce0f7981736d09aa0c
                                                                                                                                    • Instruction Fuzzy Hash: C5110FB5D00259CFDB10DF9AC444BDEFBF4AB88320F10842AD459A7210C375A945CFA1
                                                                                                                                    Function 09964AE0 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetTimer.USER32(?,01C96428,?,?), ref: 09965A7D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Timer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2870079774-0
                                                                                                                                    • Opcode ID: a021489a94c011f19ee9604ca6f977b016fb56dc4740cae304899df586394372
                                                                                                                                    • Instruction ID: 966655fb2163f7ac56506f0c3a1e68e7bb4f0f2c986d6af909cd81bb7112b962
                                                                                                                                    • Opcode Fuzzy Hash: a021489a94c011f19ee9604ca6f977b016fb56dc4740cae304899df586394372
                                                                                                                                    • Instruction Fuzzy Hash: 4D11F2B5800349DFDB10DF9AC885BDEBBF8EB48320F10841AE959A7210C375A944CFA5
                                                                                                                                    Function 09965A19 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetTimer.USER32(?,01C96428,?,?), ref: 09965A7D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Timer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2870079774-0
                                                                                                                                    • Opcode ID: 4264e4debf5970dfafc364294fe9f8b48ae8ab15187b30da1f3895859cdf7663
                                                                                                                                    • Instruction ID: 6a92d5e59b36ffd9f7f8db1a735aa65d3099d3232face2ff00a0a22a5280f0ba
                                                                                                                                    • Opcode Fuzzy Hash: 4264e4debf5970dfafc364294fe9f8b48ae8ab15187b30da1f3895859cdf7663
                                                                                                                                    • Instruction Fuzzy Hash: F611DFB58003499FDB10DF9AC885BDEBBF8EB48320F10845AE559A7220C375A944CFA1
                                                                                                                                    Function 09215664 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 09215B4D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Initialize
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2538663250-0
                                                                                                                                    • Opcode ID: 11e1381953e800dc338b92719cb0c3bdcc2bb8b7944b14003f7a354d6afd46af
                                                                                                                                    • Instruction ID: ba5bad5dc9da33bd7d5bb8e8e8d92aec871c44548fb4f242fcdf5241917ef624
                                                                                                                                    • Opcode Fuzzy Hash: 11e1381953e800dc338b92719cb0c3bdcc2bb8b7944b14003f7a354d6afd46af
                                                                                                                                    • Instruction Fuzzy Hash: 0C1130B18003098FCB20DF9AC488B9EBBF4EB48320F20845AE519A7210C374A980CFA4
                                                                                                                                    Function 0921905A Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,?,?,?,?,?,?,?,09219049,?,?,00000000), ref: 092190BD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                    • Opcode ID: f497738c81d7e69bc10891cca303472fd545197c0d0d29ae24cfa02844fe3f2e
                                                                                                                                    • Instruction ID: 5744c6490f6ef3ad8e55fe74d822ecf6430a4fa3a098560cfe8a409ddecd8e06
                                                                                                                                    • Opcode Fuzzy Hash: f497738c81d7e69bc10891cca303472fd545197c0d0d29ae24cfa02844fe3f2e
                                                                                                                                    • Instruction Fuzzy Hash: 4911F2B5800349CFDB10DF99D988BDFBBF4EB48324F10845AE558A7610C375A584CFA1
                                                                                                                                    Function 09215AF0 Relevance: 1.5, APIs: 1, Instructions: 42comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 09215B4D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Initialize
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2538663250-0
                                                                                                                                    • Opcode ID: c75aa92b862ba4e1e9ea1f0fb6646639109ba6c50cded1b19a4f4093d2bf5538
                                                                                                                                    • Instruction ID: e760a55484674979e775726c099e8845f45866a73ec29630968d423ad94bde99
                                                                                                                                    • Opcode Fuzzy Hash: c75aa92b862ba4e1e9ea1f0fb6646639109ba6c50cded1b19a4f4093d2bf5538
                                                                                                                                    • Instruction Fuzzy Hash: 131132B1914349CFDB10DFA9D084BCEFFF0AB58324F24846AE119A7210C379A684CFA4
                                                                                                                                    Function 0921708C Relevance: 1.5, APIs: 1, Instructions: 39windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,?,?,?,?,?,?,?,09219049,?,?,00000000), ref: 092190BD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                    • Opcode ID: 5b4134df4e308cabd1bba2602a817d7febdaadcfcc49778332c975890ac176cd
                                                                                                                                    • Instruction ID: 99d46c2ee310b3e9d5477db307f5b9c3f524a7e8759d8f32d3d37deed4c608f4
                                                                                                                                    • Opcode Fuzzy Hash: 5b4134df4e308cabd1bba2602a817d7febdaadcfcc49778332c975890ac176cd
                                                                                                                                    • Instruction Fuzzy Hash: 430102B48003499FDB20DF9AC888B9FBFF8EB08310F108419E558A7210D3B5A980CFA5
                                                                                                                                    Function 09960669 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • KiUserCallbackDispatcher.NTDLL ref: 09960683
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                    • Opcode ID: 37bf02ecfeab6347f0586fd80fa8d70a5194e56c01bc7a047eac89398b298c9d
                                                                                                                                    • Instruction ID: 0eecfda27eb257197b95afe45e3c2c8342bad6e99c8cf3a36b320b8958b67b4b
                                                                                                                                    • Opcode Fuzzy Hash: 37bf02ecfeab6347f0586fd80fa8d70a5194e56c01bc7a047eac89398b298c9d
                                                                                                                                    • Instruction Fuzzy Hash: B7D0A9A640D3C00FC3024221992E1483F6098E302430A02CBC0968B133D80A881A9BA2
                                                                                                                                    Function 018BD210 Relevance: .1, Instructions: 76COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962796775.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18bd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c82d0f7090f1b4c9df775218a9aec65bc60aa7c5774a38e98475b88a44973242
                                                                                                                                    • Instruction ID: 84d3c9094f72337056fa9ff2c9a80eb440aca1a506ec8c45a4f09a01e1d22b63
                                                                                                                                    • Opcode Fuzzy Hash: c82d0f7090f1b4c9df775218a9aec65bc60aa7c5774a38e98475b88a44973242
                                                                                                                                    • Instruction Fuzzy Hash: F0217B71100280EFCB05DF84D9C0B57BF61FB88328F20C669E8088B346C336E416CBA1
                                                                                                                                    Function 018CD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962838208.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18cd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9d5ca25700e8e800836abc678964da97a5f48001e2720812f32cb2f8b0f1a182
                                                                                                                                    • Instruction ID: 20119832436407fdc6acfe7107aa57b5fc5fce265f1273bf64f7ba1626c41fdf
                                                                                                                                    • Opcode Fuzzy Hash: 9d5ca25700e8e800836abc678964da97a5f48001e2720812f32cb2f8b0f1a182
                                                                                                                                    • Instruction Fuzzy Hash: 43210071604204DFCB15EF58D9C4B26BBA5EB84B18F20C67DD80A8B256C33AD547CAA1
                                                                                                                                    Function 018CD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962838208.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18cd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9683c3fa2dfca5c14d5c7f5ce74459de1e7097e6699df7dd632f9bc4631a32b9
                                                                                                                                    • Instruction ID: 0ada80654312d75fa6e57fcb5be43a808c776ad0a0bebd83b5736a487feaf3be
                                                                                                                                    • Opcode Fuzzy Hash: 9683c3fa2dfca5c14d5c7f5ce74459de1e7097e6699df7dd632f9bc4631a32b9
                                                                                                                                    • Instruction Fuzzy Hash: 64213771504204DFDB01EF98D9C0B26BBA6FB84728F20C67DE8098B252C336E546CAA1
                                                                                                                                    Function 018BD20B Relevance: .1, Instructions: 57COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962796775.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18bd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                                                                                                    • Instruction ID: fa3c78924e754f323976c0f9cca4f449205b851e7592572eca6ebfbf0e02c9f6
                                                                                                                                    • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                                                                                                    • Instruction Fuzzy Hash: 8021D276404280DFCB06CF44D9C4B56BF71FB84324F24C6A9DD084B256C336D51ACB91
                                                                                                                                    Function 018CD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962838208.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18cd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction ID: 89f7ffa05f564255b07f0210f9643e98a3cbcd8cb60a9c29a046c0072bb10caf
                                                                                                                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction Fuzzy Hash: CC11BE75504240DFDB02DF54C5C4B15BF62FB84724F24C6AED8498B656C33AE40ACB91
                                                                                                                                    Function 018CD017 Relevance: .1, Instructions: 53COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962838208.00000000018CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018CD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18cd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction ID: a7f479fd8260b4b6c8fa89aeca40555210b8e2cddd4b2a457a7cdb97208c5035
                                                                                                                                    • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                                                    • Instruction Fuzzy Hash: B311EB75504280CFCB02DF18D5C4B16BFA2FB84314F24C6AED8098B656C33AD40ACBA2
                                                                                                                                    Function 018BD759 Relevance: .0, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962796775.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18bd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 301f79fe7c9d1d3b507ae03419f0e8bb893be54b08b1fcf16e6761c63c3ea9b6
                                                                                                                                    • Instruction ID: dd437d7d505cccf789560affafc0793301fd1b18ed989100ae61806cbfde1511
                                                                                                                                    • Opcode Fuzzy Hash: 301f79fe7c9d1d3b507ae03419f0e8bb893be54b08b1fcf16e6761c63c3ea9b6
                                                                                                                                    • Instruction Fuzzy Hash: 9001D071005384B9E7114A59CDC47E7FFD8DF41328F18C659ED098A346C379D540C675
                                                                                                                                    Function 018BD6CF Relevance: .0, Instructions: 37COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962796775.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18bd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3332d355668ef227297cf88317b9d1dbca3586c1f7bbf6e9032fdeaf85920f19
                                                                                                                                    • Instruction ID: 954147e50c1440de68dd6bb297edaae6df05f205583e52be289ceb144d41809a
                                                                                                                                    • Opcode Fuzzy Hash: 3332d355668ef227297cf88317b9d1dbca3586c1f7bbf6e9032fdeaf85920f19
                                                                                                                                    • Instruction Fuzzy Hash: BBF0F976600604AF9724CF0ADC84C67FBADEBC4774715C5AAE84A8B712C671EC41CEA0
                                                                                                                                    Function 018BD758 Relevance: .0, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962796775.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18bd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: e32bb13b40b47b93f7cd4a86d75726b9efd94c192cc8dfe9b3b77bb71b574533
                                                                                                                                    • Instruction ID: 42d636a979c6341f200221ff2d3c7438881cbbad1f3e2647d577176b5b4ecb2d
                                                                                                                                    • Opcode Fuzzy Hash: e32bb13b40b47b93f7cd4a86d75726b9efd94c192cc8dfe9b3b77bb71b574533
                                                                                                                                    • Instruction Fuzzy Hash: A4F06271404384AEE7118A1ADCC4BA3FFE8EF51728F18C55AED084B386C2799844CAB1
                                                                                                                                    Function 018BD6C0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1962796775.00000000018BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018BD000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_18bd000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4487a99c8f8da66a4c95a28b78fb9cd94287b9336a6a1ecc194b4b6cadc43123
                                                                                                                                    • Instruction ID: 7bd24232dba786ab020e5b9846c89467905f5c968bd3857817b196097c40faeb
                                                                                                                                    • Opcode Fuzzy Hash: 4487a99c8f8da66a4c95a28b78fb9cd94287b9336a6a1ecc194b4b6cadc43123
                                                                                                                                    • Instruction Fuzzy Hash: 46F03775104A80AFE325CF06CC84C63BFB9EB8576471A8589E85A8B352C671EC42CBA0

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 09964B3C Relevance: 6.9, Strings: 5, Instructions: 621COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: Hmq$Hmq$Hmq$Hmq$Hmq
                                                                                                                                    • API String ID: 0-1314966066
                                                                                                                                    • Opcode ID: 7e4ad24e912d080c2f3453b4cd6c952da05a59a7cdff3a01aea86df847110640
                                                                                                                                    • Instruction ID: f0338aaeca1ef7b244fb36bec8e1cd31636be845e32e423ea1d3af3f086bd409
                                                                                                                                    • Opcode Fuzzy Hash: 7e4ad24e912d080c2f3453b4cd6c952da05a59a7cdff3a01aea86df847110640
                                                                                                                                    • Instruction Fuzzy Hash: 7932A030A00258CFDB54DFB9C8547AEBBF6BF88300F14856AD409AB3A9DA349D45CB95
                                                                                                                                    Function 09963641 Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: W
                                                                                                                                    • API String ID: 0-655174618
                                                                                                                                    • Opcode ID: c79a616d0d5fa2bdff1297b589c2acf7c47c0db02c85c7b7a3acfff82dc07d63
                                                                                                                                    • Instruction ID: 835e914830484ff9f7c152a20a6fa94e70b37bb7fbefdc09a8d02750486f7579
                                                                                                                                    • Opcode Fuzzy Hash: c79a616d0d5fa2bdff1297b589c2acf7c47c0db02c85c7b7a3acfff82dc07d63
                                                                                                                                    • Instruction Fuzzy Hash: E4D1F531C10B5ACECB11EB64D9906D9B7B1FF95300F50879AE5097B224EB70AAC9CF81
                                                                                                                                    Function 06B09570 Relevance: 1.5, Strings: 1, Instructions: 222COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: LRiq
                                                                                                                                    • API String ID: 0-209933059
                                                                                                                                    • Opcode ID: b4692dc6c2bfebfde4a49ef87071061e9982209d38d2aa74efcdae47698dc6ae
                                                                                                                                    • Instruction ID: 9b792b6de86158d03f2e5fcb054737b7acbca7a52fd27816ff2ddeafc9aa59c1
                                                                                                                                    • Opcode Fuzzy Hash: b4692dc6c2bfebfde4a49ef87071061e9982209d38d2aa74efcdae47698dc6ae
                                                                                                                                    • Instruction Fuzzy Hash: 9181B2B5E042198FFB44DA69C580BADBFB6EB84341F10A466E516EB3D1CA34DD418BC1
                                                                                                                                    Function 06B09563 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: LRiq
                                                                                                                                    • API String ID: 0-209933059
                                                                                                                                    • Opcode ID: f171e6be5287cdb7e2f7d4e0b0f5fa3587c14671d1fe598ecc3ff48f399ec027
                                                                                                                                    • Instruction ID: 9d8d968cd936e1b95f4de274d99c58b8e6317cf3471d9dfcc0b805de69af7314
                                                                                                                                    • Opcode Fuzzy Hash: f171e6be5287cdb7e2f7d4e0b0f5fa3587c14671d1fe598ecc3ff48f399ec027
                                                                                                                                    • Instruction Fuzzy Hash: F681C4B5E04219CFFB84DA69C580BADBFB6AB84341F10E466D516EB3D1C634DD418BC1
                                                                                                                                    Function 06B0BCF0 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: =
                                                                                                                                    • API String ID: 0-2322244508
                                                                                                                                    • Opcode ID: 1e1c5f1e4083fff3847fbb63c678aeb323beedd080e3537751fa4bb0b008aada
                                                                                                                                    • Instruction ID: 1ee7068b7b316287d74acdbff35aa894c4cf5d88577e47e63629a94cd0dc2a24
                                                                                                                                    • Opcode Fuzzy Hash: 1e1c5f1e4083fff3847fbb63c678aeb323beedd080e3537751fa4bb0b008aada
                                                                                                                                    • Instruction Fuzzy Hash: 4551E7B0A40745BFF794DB68CC41BBEBFB1EB84304F1484AAC216AF6D5D6789A44CB00
                                                                                                                                    Function 06B0BD00 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: =
                                                                                                                                    • API String ID: 0-2322244508
                                                                                                                                    • Opcode ID: 26c798b3104aa7647f1a2b2231975bd5b26ea3b7af7cdf3258f2f5e2c0cf14e0
                                                                                                                                    • Instruction ID: 4471ee738bf9c790fb655e476eb5cd53579d354b5842f27cb6ce6a06a350144a
                                                                                                                                    • Opcode Fuzzy Hash: 26c798b3104aa7647f1a2b2231975bd5b26ea3b7af7cdf3258f2f5e2c0cf14e0
                                                                                                                                    • Instruction Fuzzy Hash: C651C8B0B40745BFF794DB68CC51B7EBEB2EB84304F14C4A9C216AB6C5D6749A44CB04
                                                                                                                                    Function 06B0BD89 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: =
                                                                                                                                    • API String ID: 0-2322244508
                                                                                                                                    • Opcode ID: 056bc593bb51cd42b8444ec12fb3b1b3314721833e4badd6faa17ee0baf2e5b6
                                                                                                                                    • Instruction ID: 90381f080f07826941a16702f32e4babe94e8c1070a0d351e01e4b0b39085cac
                                                                                                                                    • Opcode Fuzzy Hash: 056bc593bb51cd42b8444ec12fb3b1b3314721833e4badd6faa17ee0baf2e5b6
                                                                                                                                    • Instruction Fuzzy Hash: EA41A6B0B40645BFF794DB64CC51B7EBEB2EBC4304F14C4AAC216AB6D5D6749A04CB04
                                                                                                                                    Function 06B0BD5F Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: =
                                                                                                                                    • API String ID: 0-2322244508
                                                                                                                                    • Opcode ID: 46c38f613941677ccab18a1daff77f7d2e7714e09fd73b251d65292031704c53
                                                                                                                                    • Instruction ID: b9e6140df3809905825ca68bfffd0ec3500edb487cb3d47f19da58c37348e209
                                                                                                                                    • Opcode Fuzzy Hash: 46c38f613941677ccab18a1daff77f7d2e7714e09fd73b251d65292031704c53
                                                                                                                                    • Instruction Fuzzy Hash: A041A6B0B41645BFF794DB64CC51B7EBEB2EBC4304F24C4AAC216AB6D5D6789A04CB04
                                                                                                                                    Function 06B0BE72 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: =
                                                                                                                                    • API String ID: 0-2322244508
                                                                                                                                    • Opcode ID: 77b7442435b4701a3fe7c390c85b8db2f1ad5d4fbcb071cf375efc638b245fad
                                                                                                                                    • Instruction ID: 7b67fcfe0882fe790e4fb08f3dd181775825835945e57f86a253540173e5b2f0
                                                                                                                                    • Opcode Fuzzy Hash: 77b7442435b4701a3fe7c390c85b8db2f1ad5d4fbcb071cf375efc638b245fad
                                                                                                                                    • Instruction Fuzzy Hash: 8E41C5B0A41645BFF794DB64CC51B7EBEB2EBC4304F14C4AAC216AB6D5C6749A04CB01
                                                                                                                                    Function 09B39408 Relevance: .4, Instructions: 356COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000756729.0000000009B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 09B30000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9b30000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 1f3a09ac93900f02aadd402faf71baec1583e31b001693ae9d3af5978276068d
                                                                                                                                    • Instruction ID: 0cee02a09cdd1dd0554bea922549ea1b59727f836645645fcc541ae46c31cf58
                                                                                                                                    • Opcode Fuzzy Hash: 1f3a09ac93900f02aadd402faf71baec1583e31b001693ae9d3af5978276068d
                                                                                                                                    • Instruction Fuzzy Hash: D3D1BB71B01314CBDB25DF76C460BAA77EAAF88310F5485ADE146CB6A0DF75E801CB91
                                                                                                                                    Function 06B00A90 Relevance: .3, Instructions: 315COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 9e1b24a7170137754f59356b984f902a77aee469d4945ad571e06855739dff84
                                                                                                                                    • Instruction ID: bafacf01484144880be935462d1afa067ed387c1fee6ee40376205fcc8e9312a
                                                                                                                                    • Opcode Fuzzy Hash: 9e1b24a7170137754f59356b984f902a77aee469d4945ad571e06855739dff84
                                                                                                                                    • Instruction Fuzzy Hash: 3D1296F25017858AD332CF65EA4C3893BB1BB65318F50430AD2622B6E9DBB4954BCF45
                                                                                                                                    Function 099660F8 Relevance: .3, Instructions: 279COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 564340a4080fbc80816b4a78dc973561b42b0619947a30de2f1582318a0756a9
                                                                                                                                    • Instruction ID: e05de98f7f747828092522a371a92316764ac0afb7bdd523b867cf84b062587e
                                                                                                                                    • Opcode Fuzzy Hash: 564340a4080fbc80816b4a78dc973561b42b0619947a30de2f1582318a0756a9
                                                                                                                                    • Instruction Fuzzy Hash: 97C13971E00258DFDF15CFA5C98079DBBB2AF88310F18C5AAE449AB265DB31E985CF50
                                                                                                                                    Function 0996E9E4 Relevance: .3, Instructions: 278COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d0bf1a84cc27a039434f98ab710d397254a6648486f5faed4fc5cbb7a1f47cf0
                                                                                                                                    • Instruction ID: b4e0465384baf59338aee61e74f97c0cc3ea1aed3afaf93bb4c5306e8f5bed8b
                                                                                                                                    • Opcode Fuzzy Hash: d0bf1a84cc27a039434f98ab710d397254a6648486f5faed4fc5cbb7a1f47cf0
                                                                                                                                    • Instruction Fuzzy Hash: B7B1A071B042068FC784DF79D590259B6A5FFC5300B54C8BAC41ADF3AADB35E90ACB91
                                                                                                                                    Function 0996F492 Relevance: .3, Instructions: 277COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8091bfd747fe2d01b350daa1d9d5fae358fd6a238784b5b216943bda7e51f084
                                                                                                                                    • Instruction ID: 7e6cbe2cbab89c12fd0d2c9c5d0ad713dfdd0fa7921c7c7951f202bf23a1e05d
                                                                                                                                    • Opcode Fuzzy Hash: 8091bfd747fe2d01b350daa1d9d5fae358fd6a238784b5b216943bda7e51f084
                                                                                                                                    • Instruction Fuzzy Hash: 0BB191317042068FC784DF79D590259B6A5FFC5300B54C8BAC41ADF3A9DB35E94ACB91
                                                                                                                                    Function 09963650 Relevance: .3, Instructions: 264COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7c9ec1b2be130f8b90abf37b98775ca4c0f5e79b12845d520380a78e3c495139
                                                                                                                                    • Instruction ID: 510570605e29dfe723edad4826b4b1231445ce7be63aa9d4d3cf60f200d041d2
                                                                                                                                    • Opcode Fuzzy Hash: 7c9ec1b2be130f8b90abf37b98775ca4c0f5e79b12845d520380a78e3c495139
                                                                                                                                    • Instruction Fuzzy Hash: 30D1C531C10B5ACECB10EB64D9906D9B7B1FFD5300F54979AE5097B224EB70AAC9CB81
                                                                                                                                    Function 092120E0 Relevance: .3, Instructions: 262COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 786dde365e89a65c462a75de8c22de549c912e05906908d920c99cf83683e493
                                                                                                                                    • Instruction ID: ed1c6a0a04702b9d1fb5939b54ee6d26457ff949803dd4ca075728b6f830b2d7
                                                                                                                                    • Opcode Fuzzy Hash: 786dde365e89a65c462a75de8c22de549c912e05906908d920c99cf83683e493
                                                                                                                                    • Instruction Fuzzy Hash: 53A1F430718202DFCB48EF78D58124DB791EFA5300B50D87ADA1ADF35ACA35E965CB91
                                                                                                                                    Function 0996EA64 Relevance: .3, Instructions: 261COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 4a455580c0f66359ccd77f483ea5810df59ca3c809d0f6b6b50651b82b39cdbc
                                                                                                                                    • Instruction ID: 720eab2087f4b5743d95d74d2cba3778b253956887966eb45a57d1031982dbec
                                                                                                                                    • Opcode Fuzzy Hash: 4a455580c0f66359ccd77f483ea5810df59ca3c809d0f6b6b50651b82b39cdbc
                                                                                                                                    • Instruction Fuzzy Hash: 4AA17F35A04109CFDB14CFA8E994B9DBBB6FB88340F198466E509EB365CB76DC52CB40
                                                                                                                                    Function 09969679 Relevance: .3, Instructions: 257COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 5b8216a857b39a56f47fea2b58e5856e5d71aea47737bda27ef099573241e6fc
                                                                                                                                    • Instruction ID: a447b03fdff60f75e37b511c37de9295337bbe877254a675e4de866426dd15ea
                                                                                                                                    • Opcode Fuzzy Hash: 5b8216a857b39a56f47fea2b58e5856e5d71aea47737bda27ef099573241e6fc
                                                                                                                                    • Instruction Fuzzy Hash: 27A13A70744305CFC745EF79859029ABBA2FFC5304B54C87E844ADF369DA32E90A8B95
                                                                                                                                    Function 092120F0 Relevance: .3, Instructions: 256COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: cff9081c33511ff55d1418ef747020d2e469d61dae21a7aa172e6fde84488ed0
                                                                                                                                    • Instruction ID: 97f380708233fd1350e7e14f0cab27d0215b665307a8e31b5c01fed6c9a7cd40
                                                                                                                                    • Opcode Fuzzy Hash: cff9081c33511ff55d1418ef747020d2e469d61dae21a7aa172e6fde84488ed0
                                                                                                                                    • Instruction Fuzzy Hash: 89A1F530714202DFCB48EF38D58065DB691EFA5300B90D87ADA1EDF35ACA35E965CB91
                                                                                                                                    Function 0996FAF1 Relevance: .3, Instructions: 255COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 38f022c5c30ede5e7ed40a91b958782702f3eefb98b4e1a3955ed3ab8503571a
                                                                                                                                    • Instruction ID: 0cfed9da2698d43c87fde6627d5c9ad1e11b02341377b927c6b2a66984eb6df5
                                                                                                                                    • Opcode Fuzzy Hash: 38f022c5c30ede5e7ed40a91b958782702f3eefb98b4e1a3955ed3ab8503571a
                                                                                                                                    • Instruction Fuzzy Hash: 89A16D35A04109CFDB14CFA8D994B9DBBB6EB88300F19846AE509EB375CB76DC52CB40
                                                                                                                                    Function 09968A64 Relevance: .3, Instructions: 254COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: da8cf67d70d3fcbea075afe1c451d6be09be3669f9471cfc957ae334e18f8985
                                                                                                                                    • Instruction ID: f92945cd9aee0e7b09db00f585684c44fde9a9ecce84a18fc8240cf9297b1455
                                                                                                                                    • Opcode Fuzzy Hash: da8cf67d70d3fcbea075afe1c451d6be09be3669f9471cfc957ae334e18f8985
                                                                                                                                    • Instruction Fuzzy Hash: DAA15970744305CFC744EF79859069ABBA2FFC9304B54C87E850ADF369DA32E90A8B95
                                                                                                                                    Function 06B00A80 Relevance: .2, Instructions: 221COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: f103c1dd225753b22e1175cf89eef8bda8bfe8cb9bd99a4ab17a7fcdf9bdb59e
                                                                                                                                    • Instruction ID: 987cf7aac57874b6da05b5bf3572dec2298fc0b3d8dfb6ec472f9a512b0096c6
                                                                                                                                    • Opcode Fuzzy Hash: f103c1dd225753b22e1175cf89eef8bda8bfe8cb9bd99a4ab17a7fcdf9bdb59e
                                                                                                                                    • Instruction Fuzzy Hash: 72C11DB28017858FD722CF65EA4C3897BB1FBA5314F50430AD2626B2E8DBB4954BCF45
                                                                                                                                    Function 0921E638 Relevance: .2, Instructions: 181COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1990148306.0000000009210000.00000040.00000800.00020000.00000000.sdmp, Offset: 09210000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9210000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c3b3f2875dafb7d42dde537e763584736f711b54214bc7faa59bbbff60f51e76
                                                                                                                                    • Instruction ID: 7baa4e1555de1fe483b776d5ce4e4ba415ffec22fa7211aeceddd168199c2981
                                                                                                                                    • Opcode Fuzzy Hash: c3b3f2875dafb7d42dde537e763584736f711b54214bc7faa59bbbff60f51e76
                                                                                                                                    • Instruction Fuzzy Hash: 91718E74E20658DBDB04CFA4C9846AEBBF6FF98700F15802AE809EB364E735C915CB45
                                                                                                                                    Function 06B0DDA8 Relevance: .2, Instructions: 155COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 3bbbbd5ce28220577cb2dc6b5b9f47a903545a6f75a1f8a3e0fd313b809bbd4a
                                                                                                                                    • Instruction ID: 3578da47f84d01ec6c5f0b2577092b1610ead46e7f2d43605d94688417b84813
                                                                                                                                    • Opcode Fuzzy Hash: 3bbbbd5ce28220577cb2dc6b5b9f47a903545a6f75a1f8a3e0fd313b809bbd4a
                                                                                                                                    • Instruction Fuzzy Hash: 47515AB16145529FF3889AB8D98025A7F66FFC5300B414ABBC046CB6E4CE34D90A8BC1
                                                                                                                                    Function 06B0A8F8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.1978301849.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_6b00000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: d5cf99b51648162d450c5495b26868f2a946757abdf68142c1b5c63a98e85b06
                                                                                                                                    • Instruction ID: 0bb3dff1e0668049055a82c1d61f48045a5ec76251d8de2af035bdd1c9b684b4
                                                                                                                                    • Opcode Fuzzy Hash: d5cf99b51648162d450c5495b26868f2a946757abdf68142c1b5c63a98e85b06
                                                                                                                                    • Instruction Fuzzy Hash: B14140B0E1060ADFEB44DF79D98055DBFF2FB88300F10D9A98016972A5E7389A49CF80
                                                                                                                                    Function 0996E9B4 Relevance: .1, Instructions: 52COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 7b4aed7de5a8575f1b516aa1559bae050c5622585ec5a0f60c5e0235a48f2dd0
                                                                                                                                    • Instruction ID: ebbedc643dab2a9184cd7405348de640e743e42f5912ec8f5eaa6c1af492d50b
                                                                                                                                    • Opcode Fuzzy Hash: 7b4aed7de5a8575f1b516aa1559bae050c5622585ec5a0f60c5e0235a48f2dd0
                                                                                                                                    • Instruction Fuzzy Hash: 17012629B184414BE38CA63FED4462B564BA7C5360F4DC8BBA90ACB3F0CC34CC064A81
                                                                                                                                    Function 0996F2D0 Relevance: .1, Instructions: 52COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2000549951.0000000009960000.00000040.00000800.00020000.00000000.sdmp, Offset: 09960000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_9960000_SPOOOFER776.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c84c1808e4246fe670ad29c07cd8e1d3e685483bfae0381e8d8910d2cbb671bf
                                                                                                                                    • Instruction ID: eca34e0664454351fe39b0ec7bb9affab0dd2e3690d0993b9f5a284c3f2eba42
                                                                                                                                    • Opcode Fuzzy Hash: c84c1808e4246fe670ad29c07cd8e1d3e685483bfae0381e8d8910d2cbb671bf
                                                                                                                                    • Instruction Fuzzy Hash: 0401D439B185824EE34CAA3EA9447676A8767C5310F0DC8BF9D0ACB2F1CC35CC064B41