Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PDF6UU0CVUO2W-YGVUIO.scr.exe

Overview

General Information

Sample name:PDF6UU0CVUO2W-YGVUIO.scr.exe
Analysis ID:1591785
MD5:9d8bc1bd62ddd6ebe6f9e25a8c73bca3
SHA1:0a34d97de35ea1c4252bb2bf148c1173666f7343
SHA256:53744fdba0544f915f43eddad494ea07a405776df30864415d6b1445db042481
Tags:exescruser-cocaman
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PDF6UU0CVUO2W-YGVUIO.scr.exe (PID: 7432 cmdline: "C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe" MD5: 9D8BC1BD62DDD6EBE6F9E25A8C73BCA3)
    • PDF6UU0CVUO2W-YGVUIO.scr.exe (PID: 7588 cmdline: "C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe" MD5: 9D8BC1BD62DDD6EBE6F9E25A8C73BCA3)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "obgee2025@plavuto.top", "Password": "l~La1~er*~N&          ", "Server": "mail.plavuto.top", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0xeaa7:$a1: get_encryptedPassword
      • 0xedcf:$a2: get_encryptedUsername
      • 0xe842:$a3: get_timePasswordChanged
      • 0xe963:$a4: get_passwordField
      • 0xeabd:$a5: set_encryptedPassword
      • 0x1040e:$a7: get_logins
      • 0x100bf:$a8: GetOutlookPasswords
      • 0xfeb1:$a9: StartKeylogger
      • 0x1035e:$a10: KeyLoggerEventArgs
      • 0xff0e:$a11: KeyLoggerEventArgsEventHandler
      00000000.00000002.1269663136.0000000005D10000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.5d10000.6.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.5d10000.6.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
                0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    Click to see the 22 entries

                    Sigma Signatures

                    No Sigma rule has matched

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-15T13:20:12.854585+010028032742Potentially Bad Traffic192.168.2.749703193.122.130.080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "obgee2025@plavuto.top", "Password": "l~La1~er*~N& ", "Server": "mail.plavuto.top", "Port": 587}
                    Multi AV Scanner detection for submitted file
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeReversingLabs: Detection: 63%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeJoe Sandbox ML: detected

                    Location Tracking

                    barindex
                    Tries to detect the country of the analysis system (by using the IP)
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49731 version: TLS 1.0
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: FZfi.pdbSHA256 source: PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: Binary string: FZfi.pdb source: PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 01859731h4_2_01859480
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 01859E5Ah4_2_01859A40
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 01859E5Ah4_2_01859A30
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 01859E5Ah4_2_01859D87
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A2F2A8h4_2_05A2F000
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A25E15h4_2_05A25AD8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A28830h4_2_05A28588
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A247C9h4_2_05A24520
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A276D0h4_2_05A27428
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A2F700h4_2_05A2F458
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A2E9F8h4_2_05A2E750
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A25929h4_2_05A25680
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A283D8h4_2_05A28130
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A2E5A0h4_2_05A2E2F8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A254D1h4_2_05A25228
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A25079h4_2_05A24DD0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A27F80h4_2_05A27CD8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A27278h4_2_05A26FD0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A24C21h4_2_05A24978
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A2FB58h4_2_05A2F8B0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A27B28h4_2_05A27880
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05A2EE50h4_2_05A2EBA8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF62B5h4_2_05FF60D8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF6C3Fh4_2_05FF60D8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF18A0h4_2_05FF15F8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF3840h4_2_05FF3598
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF0740h4_2_05FF0498
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF26E0h4_2_05FF2438
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then mov esp, ebp4_2_05FF8728
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF49A0h4_2_05FF46F8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then mov esp, ebp4_2_05FF869F
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h4_2_05FF51E8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF1448h4_2_05FF11A0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF33E8h4_2_05FF3140
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF02E8h4_2_05FF0040
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF4548h4_2_05FF42A0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF0FF0h4_2_05FF0D48
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF2F90h4_2_05FF2CE8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF2152h4_2_05FF1EA8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF40F0h4_2_05FF3E48
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF3C98h4_2_05FF39F0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF0B98h4_2_05FF08F0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF2B38h4_2_05FF2890
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF4DF8h4_2_05FF4B50
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4x nop then jmp 05FF1CF8h4_2_05FF1A50
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewIP Address: 104.21.96.1 104.21.96.1
                    Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                    Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                    Source: unknownDNS query: name: checkip.dyndns.org
                    Source: unknownDNS query: name: reallyfreegeoip.org
                    Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49703 -> 193.122.130.0:80
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: unknownHTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.7:49731 version: TLS 1.0
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                    Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.00000000033C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeString found in binary or memory: http://ocsp.comodoca.com0
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000345B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000345B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.00000000033C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namex
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 4.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 4.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                    Source: 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7432, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7588, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 0_2_018642040_2_01864204
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 0_2_018670180_2_01867018
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 0_2_0186D8EC0_2_0186D8EC
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_0185C5304_2_0185C530
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_018527B94_2_018527B9
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_01852DD14_2_01852DD1
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_018594804_2_01859480
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_0185C5214_2_0185C521
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_0185946F4_2_0185946F
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A261384_2_05A26138
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2F0004_2_05A2F000
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A213A84_2_05A213A8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2BC504_2_05A2BC50
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2AE784_2_05A2AE78
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A289E04_2_05A289E0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A20AB84_2_05A20AB8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A25AD84_2_05A25AD8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A285884_2_05A28588
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A245204_2_05A24520
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2450F4_2_05A2450F
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A285794_2_05A28579
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A274284_2_05A27428
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A274184_2_05A27418
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2F4484_2_05A2F448
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2F4584_2_05A2F458
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2E7404_2_05A2E740
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2E7504_2_05A2E750
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A256804_2_05A25680
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2566F4_2_05A2566F
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A281204_2_05A28120
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A281304_2_05A28130
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A261154_2_05A26115
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2E1704_2_05A2E170
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A203204_2_05A20320
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A203304_2_05A20330
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2E2F84_2_05A2E2F8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A252284_2_05A25228
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2521A4_2_05A2521A
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A24DC04_2_05A24DC0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A24DD04_2_05A24DD0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A27CC84_2_05A27CC8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A20CD84_2_05A20CD8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A27CD84_2_05A27CD8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2EFF04_2_05A2EFF0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A26FC34_2_05A26FC3
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A26FD04_2_05A26FD0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A289D04_2_05A289D0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A249694_2_05A24969
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A249784_2_05A24978
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2F8A04_2_05A2F8A0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2F8B04_2_05A2F8B0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A278804_2_05A27880
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A278714_2_05A27871
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2EBA84_2_05A2EBA8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A2EB984_2_05A2EB98
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A25ACA4_2_05A25ACA
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF60D84_2_05FF60D8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF80304_2_05FF8030
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF73904_2_05FF7390
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF6D484_2_05FF6D48
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF79E04_2_05FF79E0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF15F84_2_05FF15F8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF15E84_2_05FF15E8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF35984_2_05FF3598
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF358A4_2_05FF358A
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF04984_2_05FF0498
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF04884_2_05FF0488
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF24384_2_05FF2438
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF24274_2_05FF2427
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF46F84_2_05FF46F8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF46E94_2_05FF46E9
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF51E84_2_05FF51E8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF51D84_2_05FF51D8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF11A04_2_05FF11A0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF11904_2_05FF1190
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF31404_2_05FF3140
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF31324_2_05FF3132
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF60C94_2_05FF60C9
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF00404_2_05FF0040
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF80204_2_05FF8020
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF00074_2_05FF0007
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF73804_2_05FF7380
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF42A04_2_05FF42A0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF42904_2_05FF4290
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF0D484_2_05FF0D48
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF0D394_2_05FF0D39
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF6D374_2_05FF6D37
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF2CE84_2_05FF2CE8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF2CDA4_2_05FF2CDA
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF1EA84_2_05FF1EA8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF1E9A4_2_05FF1E9A
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF3E484_2_05FF3E48
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF3E384_2_05FF3E38
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF39F04_2_05FF39F0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF39E14_2_05FF39E1
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF79D04_2_05FF79D0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF08F04_2_05FF08F0
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF08E14_2_05FF08E1
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF28904_2_05FF2890
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF28824_2_05FF2882
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF4B504_2_05FF4B50
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF4B404_2_05FF4B40
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF1A504_2_05FF1A50
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF1A404_2_05FF1A40
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: invalid certificate
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1266311796.0000000003445000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1270739606.0000000007A10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1269663136.0000000005D10000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1266311796.0000000003371000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000000.1255439503.0000000000EEC000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFZfi.exeB vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1264681128.000000000151E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2516116228.00000000011E7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeBinary or memory string: OriginalFilenameFZfi.exeB vs PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 4.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 4.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                    Source: 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7432, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7588, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@2/2
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PDF6UU0CVUO2W-YGVUIO.scr.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMutant created: NULL
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000349E000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2520309790.00000000043ED000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.00000000034DD000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.00000000034BC000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.00000000034D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000000.1255376335.0000000000E62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeReversingLabs: Detection: 63%
                    Source: unknownProcess created: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe "C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe"
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess created: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe "C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe"
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess created: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe "C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: FZfi.pdbSHA256 source: PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: Binary string: FZfi.pdb source: PDF6UU0CVUO2W-YGVUIO.scr.exe
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: 0xF4D857CA [Thu Mar 4 04:49:14 2100 UTC]
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FF87B0 push esp; iretd 4_2_05FF87B1
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05FFB2E7 push esp; retf 4_2_05FFB321
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exeStatic PE information: section name: .text entropy: 7.626848152072666
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7432, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: 1860000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: 3370000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: 8F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: 9F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: A160000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: B160000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: 1850000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: 33C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: 53C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe TID: 7456Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2516747881.0000000001607000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeCode function: 4_2_05A20AB8 LdrInitializeThunk,LdrInitializeThunk,4_2_05A20AB8
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeProcess created: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe "C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7588, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.5d10000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.5d10000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.356288c.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.34a9f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.344da0c.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1269663136.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1266311796.0000000003445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7588, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                    Remote Access Functionality

                    barindex
                    Yara detected MassLogger RAT
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7588, type: MEMORYSTR
                    Yara detected PureLog Stealer
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.5d10000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.5d10000.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.356288c.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.34a9f20.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.344da0c.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000000.00000002.1269663136.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1266311796.0000000003445000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.4379970.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.PDF6UU0CVUO2W-YGVUIO.scr.exe.438ff90.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7432, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: PDF6UU0CVUO2W-YGVUIO.scr.exe PID: 7588, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		1
                    OS Credential Dumping                    		1
                    Query Registry                    		Remote Services1
                    Email Collection                    		11
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		LSASS Memory1
                    Security Software Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                    Virtualization/Sandbox Evasion                    		Security Account Manager1
                    Process Discovery                    		SMB/Windows Admin Shares1
                    Data from Local System                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS31
                    Virtualization/Sandbox Evasion                    		Distributed Component Object ModelInput Capture13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                    Obfuscated Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing                    		Cached Domain Credentials13
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    PDF6UU0CVUO2W-YGVUIO.scr.exe63%ReversingLabsByteCode-MSIL.Trojan.SnakeLogger
                    PDF6UU0CVUO2W-YGVUIO.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    reallyfreegeoip.org
                    		104.21.96.1
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		193.122.130.0
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://checkip.dyndns.org/false
                            		high
                            https://reallyfreegeoip.org/xml/8.46.123.189false
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://reallyfreegeoip.org/xml/8.46.123.189lPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.comdPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://checkip.dyndns.org/qPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                    		high
                                    http://reallyfreegeoip.orgdPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000345B000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://tempuri.org/DataSet1.xsdPDF6UU0CVUO2W-YGVUIO.scr.exefalse
                                        		high
                                        https://reallyfreegeoip.org/xml/8.46.123.189dPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://reallyfreegeoip.orgPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000345B000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.orgdPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://reallyfreegeoip.orgPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://checkip.dyndns.orgPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.00000000033C1000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.comPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://checkip.dyndns.org/dPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.chiark.greenend.org.uk/~sgtatham/putty/0PDF6UU0CVUO2W-YGVUIO.scr.exefalse
                                                        		high
                                                        https://api.telegram.org/bot-/sendDocument?chat_id=PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexPDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.00000000033C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://reallyfreegeoip.org/xml/PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, PDF6UU0CVUO2W-YGVUIO.scr.exe, 00000004.00000002.2519139152.000000000343E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high

                                                              World Map of Contacted IPs

                                                              • No. of IPs < 25%
                                                              • 25% < No. of IPs < 50%
                                                              • 50% < No. of IPs < 75%
                                                              • 75% < No. of IPs

                                                              Public IPs

                                                              IPDomainCountryFlagASNASN NameMalicious
                                                              104.21.96.1
                                                              		reallyfreegeoip.orgUnited States
                                                              		13335CLOUDFLARENETUSfalse
                                                              193.122.130.0
                                                              		checkip.dyndns.comUnited States
                                                              		31898ORACLE-BMC-31898USfalse

                                                              General Information

                                                              Joe Sandbox version:42.0.0 Malachite
                                                              Analysis ID:1591785
                                                              Start date and time:2025-01-15 13:19:04 +01:00
                                                              Joe Sandbox product:CloudBasic
                                                              Overall analysis duration:0h 5m 35s
                                                              Hypervisor based Inspection enabled:false
                                                              Report type:full
                                                              Cookbook file name:default.jbs
                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                              Number of analysed new started processes analysed:14
                                                              Number of new started drivers analysed:0
                                                              Number of existing processes analysed:0
                                                              Number of existing drivers analysed:0
                                                              Number of injected processes analysed:0
                                                              Technologies:
                                                              • HCA enabled
                                                              • EGA enabled
                                                              • AMSI enabled
                                                              Analysis Mode:default
                                                              Analysis stop reason:Timeout
                                                              Sample name:PDF6UU0CVUO2W-YGVUIO.scr.exe
                                                              Detection:MAL
                                                              Classification:mal100.troj.spyw.evad.winEXE@3/1@2/2
                                                              EGA Information:
                                                              • Successful, ratio: 100%
                                                              HCA Information:
                                                              • Successful, ratio: 100%
                                                              • Number of executed functions: 75
                                                              • Number of non-executed functions: 39
                                                              Cookbook Comments:
                                                              • Found application associated with file extension: .exe

                                                              Warnings

                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                              • Excluded IPs from analysis (whitelisted): 2.23.242.162, 13.107.253.45, 20.12.23.50
                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                              • Not all processes where analyzed, report is missing behavior information
                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                              Simulations

                                                              Behavior and APIs

                                                              TimeTypeDescription
                                                              07:20:00API Interceptor1x Sleep call for process: PDF6UU0CVUO2W-YGVUIO.scr.exe modified

                                                              Joe Sandbox View / Context

                                                              IPs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              104.21.96.1k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                              • www.uzshou.world/kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr
                                                              gH3LlhcRzg.exeGet hashmaliciousFormBookBrowse
                                                              • www.dejikenkyu.cyou/58m5/
                                                              EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                              • www.mffnow.info/0pqe/
                                                              zE1VxVoZ3W.exeGet hashmaliciousFormBookBrowse
                                                              • www.aonline.top/fqlg/
                                                              QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                              • www.mzkd6gp5.top/3u0p/
                                                              SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                              • pelisplus.so/administrator/index.php
                                                              Recibos.exeGet hashmaliciousFormBookBrowse
                                                              • www.mffnow.info/1a34/
                                                              193.122.130.0PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • checkip.dyndns.org/
                                                              1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                              • checkip.dyndns.org/
                                                              50201668.exeGet hashmaliciousMassLogger RATBrowse
                                                              • checkip.dyndns.org/
                                                              MB263350411AE_1.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • checkip.dyndns.org/
                                                              slime crypted.exeGet hashmaliciousMassLogger RATBrowse
                                                              • checkip.dyndns.org/
                                                              MB263350411AE.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • checkip.dyndns.org/
                                                              Remittance Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                              • checkip.dyndns.org/
                                                              h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                              • checkip.dyndns.org/
                                                              x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • checkip.dyndns.org/
                                                              b6AGgIJ87g.exeGet hashmaliciousSnake KeyloggerBrowse
                                                              • checkip.dyndns.org/

                                                              Domains

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              reallyfreegeoip.orgPO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 104.21.80.1
                                                              1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                              • 104.21.112.1
                                                              Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 104.21.96.1
                                                              Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.48.1
                                                              rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.96.1
                                                              RFQ_AS0101402025.22025_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 104.21.96.1
                                                              QUOTATION REQUIRED_Enatel s.r.l..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.96.1
                                                              Confirm Bank Statement.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 104.21.64.1
                                                              50201668.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 104.21.64.1
                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.48.1
                                                              checkip.dyndns.comPO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 193.122.130.0
                                                              1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                              • 193.122.130.0
                                                              Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 193.122.6.168
                                                              Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 193.122.6.168
                                                              rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 193.122.6.168
                                                              RFQ_AS0101402025.22025_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 158.101.44.242
                                                              QUOTATION REQUIRED_Enatel s.r.l..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 132.226.247.73
                                                              Confirm Bank Statement.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 132.226.8.169
                                                              50201668.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 193.122.130.0
                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                              • 132.226.247.73

                                                              ASNs

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              CLOUDFLARENETUShttps://eventor.orienteering.asn.au/Home/RedirectToLivelox?redirectUrl=https%3A%2F%2Farchive1.diqx8fescpsb0.amplifyapp.com%2Fm1%2Fenvelope%2Fdocument%2Fcontent%2F4086Get hashmaliciousUnknownBrowse
                                                              • 104.17.25.14
                                                              PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 104.21.80.1
                                                              Davx2k2025.docGet hashmaliciousUnknownBrowse
                                                              • 104.18.95.41
                                                              Setup_BrightSlide_1.0.9.exeGet hashmaliciousUnknownBrowse
                                                              • 1.1.1.1
                                                              9179390927_20250115_155451.htmlGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.18.187.31
                                                              Davx2k2025.docGet hashmaliciousUnknownBrowse
                                                              • 104.18.95.41
                                                              https://www.pdfforge.org/pdfcreator?srsltid=AfmBOoq1lpA5qNxfcLUyxjmEXAioeKYtqPTpBsIbZ5VOdq3uhOg1WclGGet hashmaliciousUnknownBrowse
                                                              • 104.21.80.92
                                                              https://kullumanali.orgGet hashmaliciousAnonymous ProxyBrowse
                                                              • 1.1.1.1
                                                              https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSPT0wVekqsfeOZRSaz9d28itE0eTxOetbwlGaCx05rQJywXo_UNbDpVWBvKTmUslwem1E0EC2Cp68hMzvjQfllUT9E4DZqDf2uiRmAk3QSMceJiv-2FShXGXSXiT9Fl37dFQYscKLxEMcTJj4tm5gMav6Ov9aRXzCg4yzvno75Wb80hSd5kw8Ua5r4R2pwCFTS4zDFYiEkWB-2BYk1VUWtpkJwb9IQIMAq1SSLT005wiJ2XiGw1jPEr6v61MJQRnC7AeLVtxYgqGlydBoPFbs1IP04-2BxPajuRI3fTsnzWZ9ty3RasYpwuqdrF0E8VoyYkggeeLEm9ENK69uYTCVHWHpxCPkzirQSIkvpt5FNZojg491ibS35IgO0LPU5gnpEaeaUj4-2BZoFUHIAAzMMy-2BYqsZ9F9Ldu1c-3D#XGet hashmaliciousHTMLPhisherBrowse
                                                              • 104.21.96.1
                                                              ORACLE-BMC-31898USPO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 193.122.130.0
                                                              1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                              • 193.122.130.0
                                                              Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 193.122.6.168
                                                              Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 193.122.6.168
                                                              rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 193.122.6.168
                                                              RFQ_AS0101402025.22025_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 158.101.44.242
                                                              m68k.elfGet hashmaliciousUnknownBrowse
                                                              • 193.122.239.186
                                                              50201668.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 193.122.130.0
                                                              MB263350411AE_1.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 193.122.130.0
                                                              ABG Draft.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 158.101.44.242

                                                              JA3 Fingerprints

                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                              54328bd36c14bd82ddaa0c04b25ed9ad1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                              • 104.21.96.1
                                                              Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 104.21.96.1
                                                              Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.96.1
                                                              rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.96.1
                                                              RFQ_AS0101402025.22025_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 104.21.96.1
                                                              QUOTATION REQUIRED_Enatel s.r.l..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.96.1
                                                              Confirm Bank Statement.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 104.21.96.1
                                                              50201668.exeGet hashmaliciousMassLogger RATBrowse
                                                              • 104.21.96.1
                                                              TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                              • 104.21.96.1
                                                              MB263350411AE_1.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                              • 104.21.96.1

                                                              Dropped Files

                                                              No context

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PDF6UU0CVUO2W-YGVUIO.scr.exe.log

                                                              Download File
                                                              Process:C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1216
                                                              Entropy (8bit):5.34331486778365
                                                              Encrypted:false
                                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                              Malicious:true
                                                              Reputation:high, very likely benign file
                                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Entropy (8bit):7.451721899513802
                                                              TrID:
                                                              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                              • Win32 Executable (generic) a (10002005/4) 49.97%
                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                              • DOS Executable Generic (2002/1) 0.01%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:PDF6UU0CVUO2W-YGVUIO.scr.exe
                                                              File size:639'496 bytes
                                                              MD5:9d8bc1bd62ddd6ebe6f9e25a8c73bca3
                                                              SHA1:0a34d97de35ea1c4252bb2bf148c1173666f7343
                                                              SHA256:53744fdba0544f915f43eddad494ea07a405776df30864415d6b1445db042481
                                                              SHA512:b19a0ce9ebc0c419ce53b5f646d90dc53744480bd40d1c84f7caf29f688deff25503cb20ca709828d10e088d60b43d1ed6687b10aef4d39ee3d2b7c20a64de8d
                                                              SSDEEP:12288:ZYRxA4Y5lyA/BxSPCVZxTEQBae03JIpfsTC6RPBI6RgZOYNCVpveB/B19kR:uRwL9BaZJIpoC6R5I2SOY+pvc/ng
                                                              TLSH:56D4E15052D8D8C2D8531F701D72F2B416687E9DA931CE17AFEA3DAB7A73382247520E
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W................0.............2.... ........@.. ....................................@................................

                                                              File Icon

                                                              Icon Hash:7534351900049948

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x48aa32
                                                              Entrypoint Section:.text
                                                              Digitally signed:true
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0xF4D857CA [Thu Mar 4 04:49:14 2100 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:4
                                                              OS Version Minor:0
                                                              File Version Major:4
                                                              File Version Minor:0
                                                              Subsystem Version Major:4
                                                              Subsystem Version Minor:0
                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                              Authenticode Signature

                                                              Signature Valid:false
                                                              Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                              Signature Validation Error:The digital signature of the object did not verify
                                                              Error Number:-2146869232
                                                              Not Before, Not After
                                                              • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                                              Subject Chain
                                                              • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                              Version:3
                                                              Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                              Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                              Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                              Serial:7C1118CBBADC95DA3752C46E47A27438

                                                              Entrypoint Preview

                                                              Instruction
                                                              jmp dword ptr [00402000h]
                                                              call far 0000h : 003E9999h
                                                              aas
                                                              int CCh
                                                              dec esp
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al
                                                              add byte ptr [eax], al

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x8a9dd0x4f.text
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x8c0000xfb44.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x98c000x3608
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x8920c0x70.text
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x20000x88a480x88c002999a5309a2984da123b2ca3bfd97ba7False0.893092293190128data7.626848152072666IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rsrc0x8c0000xfb440xfc001e00d7a5a83fc8e564d73c034d28dab9False0.26354786706349204data4.340677806585484IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .reloc0x9c0000xc0x200214d8ace13f15f12d8ae10346f9a8324False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              RT_ICON0x8c1300xf4c4Device independent bitmap graphic, 150 x 202 x 32, image size 60600, resolution 3779 x 3779 px/m0.25759655282476857
                                                              RT_GROUP_ICON0x9b5f40x14data1.1
                                                              RT_VERSION0x9b6080x350data0.4257075471698113
                                                              RT_MANIFEST0x9b9580x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                              Imports

                                                              DLLImport
                                                              mscoree.dll_CorExeMain

                                                              Network Behavior

                                                              Suricata IDS Alerts

                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                              2025-01-15T13:20:12.854585+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749703193.122.130.080TCP

                                                              Network Port Distribution

                                                              TCP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Jan 15, 2025 13:20:01.573172092 CET4970380192.168.2.7193.122.130.0
                                                              Jan 15, 2025 13:20:01.578077078 CET8049703193.122.130.0192.168.2.7
                                                              Jan 15, 2025 13:20:01.578140020 CET4970380192.168.2.7193.122.130.0
                                                              Jan 15, 2025 13:20:01.578397036 CET4970380192.168.2.7193.122.130.0
                                                              Jan 15, 2025 13:20:01.583214998 CET8049703193.122.130.0192.168.2.7
                                                              Jan 15, 2025 13:20:11.273300886 CET8049703193.122.130.0192.168.2.7
                                                              Jan 15, 2025 13:20:11.281291962 CET4970380192.168.2.7193.122.130.0
                                                              Jan 15, 2025 13:20:11.286251068 CET8049703193.122.130.0192.168.2.7
                                                              Jan 15, 2025 13:20:12.802160978 CET8049703193.122.130.0192.168.2.7
                                                              Jan 15, 2025 13:20:12.814521074 CET49731443192.168.2.7104.21.96.1
                                                              Jan 15, 2025 13:20:12.814563990 CET44349731104.21.96.1192.168.2.7
                                                              Jan 15, 2025 13:20:12.814634085 CET49731443192.168.2.7104.21.96.1
                                                              Jan 15, 2025 13:20:12.852652073 CET49731443192.168.2.7104.21.96.1
                                                              Jan 15, 2025 13:20:12.852673054 CET44349731104.21.96.1192.168.2.7
                                                              Jan 15, 2025 13:20:12.854584932 CET4970380192.168.2.7193.122.130.0
                                                              Jan 15, 2025 13:20:13.336136103 CET44349731104.21.96.1192.168.2.7
                                                              Jan 15, 2025 13:20:13.336314917 CET49731443192.168.2.7104.21.96.1
                                                              Jan 15, 2025 13:20:13.356759071 CET49731443192.168.2.7104.21.96.1
                                                              Jan 15, 2025 13:20:13.356775999 CET44349731104.21.96.1192.168.2.7
                                                              Jan 15, 2025 13:20:13.357256889 CET44349731104.21.96.1192.168.2.7
                                                              Jan 15, 2025 13:20:13.401506901 CET49731443192.168.2.7104.21.96.1
                                                              Jan 15, 2025 13:20:13.593390942 CET49731443192.168.2.7104.21.96.1
                                                              Jan 15, 2025 13:20:13.639343977 CET44349731104.21.96.1192.168.2.7
                                                              Jan 15, 2025 13:20:13.703957081 CET44349731104.21.96.1192.168.2.7
                                                              Jan 15, 2025 13:20:13.704044104 CET44349731104.21.96.1192.168.2.7
                                                              Jan 15, 2025 13:20:13.704123020 CET49731443192.168.2.7104.21.96.1
                                                              Jan 15, 2025 13:20:13.773293972 CET49731443192.168.2.7104.21.96.1
                                                              Jan 15, 2025 13:21:17.801110029 CET8049703193.122.130.0192.168.2.7
                                                              Jan 15, 2025 13:21:17.801213026 CET4970380192.168.2.7193.122.130.0
                                                              Jan 15, 2025 13:21:52.808484077 CET4970380192.168.2.7193.122.130.0
                                                              Jan 15, 2025 13:21:52.820784092 CET8049703193.122.130.0192.168.2.7

                                                              UDP Packets

                                                              TimestampSource PortDest PortSource IPDest IP
                                                              Jan 15, 2025 13:20:01.559859037 CET4972353192.168.2.71.1.1.1
                                                              Jan 15, 2025 13:20:01.567037106 CET53497231.1.1.1192.168.2.7
                                                              Jan 15, 2025 13:20:12.806370020 CET5526953192.168.2.71.1.1.1
                                                              Jan 15, 2025 13:20:12.813658953 CET53552691.1.1.1192.168.2.7

                                                              DNS Queries

                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                              Jan 15, 2025 13:20:01.559859037 CET192.168.2.71.1.1.10x4040Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:12.806370020 CET192.168.2.71.1.1.10xb1caStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                                              DNS Answers

                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                              Jan 15, 2025 13:20:01.567037106 CET1.1.1.1192.168.2.70x4040No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                              Jan 15, 2025 13:20:01.567037106 CET1.1.1.1192.168.2.70x4040No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:01.567037106 CET1.1.1.1192.168.2.70x4040No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:01.567037106 CET1.1.1.1192.168.2.70x4040No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:01.567037106 CET1.1.1.1192.168.2.70x4040No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:01.567037106 CET1.1.1.1192.168.2.70x4040No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:12.813658953 CET1.1.1.1192.168.2.70xb1caNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:12.813658953 CET1.1.1.1192.168.2.70xb1caNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:12.813658953 CET1.1.1.1192.168.2.70xb1caNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:12.813658953 CET1.1.1.1192.168.2.70xb1caNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:12.813658953 CET1.1.1.1192.168.2.70xb1caNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:12.813658953 CET1.1.1.1192.168.2.70xb1caNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                              Jan 15, 2025 13:20:12.813658953 CET1.1.1.1192.168.2.70xb1caNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false

                                                              HTTP Request Dependency Graph

                                                              • reallyfreegeoip.org
                                                              • checkip.dyndns.org

                                                              HTTP Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.749703193.122.130.0807588C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe
                                                              TimestampBytes transferredDirectionData
                                                              Jan 15, 2025 13:20:01.578397036 CET151OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Connection: Keep-Alive
                                                              Jan 15, 2025 13:20:11.273300886 CET321INHTTP/1.1 200 OK
                                                              Date: Wed, 15 Jan 2025 12:20:11 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 104
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: 871152efd7872a7f88cabea32374f3a7
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                              Jan 15, 2025 13:20:11.281291962 CET127OUTGET / HTTP/1.1
                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                              Host: checkip.dyndns.org
                                                              Jan 15, 2025 13:20:12.802160978 CET321INHTTP/1.1 200 OK
                                                              Date: Wed, 15 Jan 2025 12:20:12 GMT
                                                              Content-Type: text/html
                                                              Content-Length: 104
                                                              Connection: keep-alive
                                                              Cache-Control: no-cache
                                                              Pragma: no-cache
                                                              X-Request-ID: 2462871b7f9d14833f1aab5118481376
                                                              Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                              Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                              HTTPS Proxied Packets

                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                              0192.168.2.749731104.21.96.14437588C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe
                                                              TimestampBytes transferredDirectionData
                                                              2025-01-15 12:20:13 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                              Host: reallyfreegeoip.org
                                                              Connection: Keep-Alive
                                                              2025-01-15 12:20:13 UTC861INHTTP/1.1 200 OK
                                                              Date: Wed, 15 Jan 2025 12:20:13 GMT
                                                              Content-Type: text/xml
                                                              Content-Length: 362
                                                              Connection: close
                                                              Age: 2258402
                                                              Cache-Control: max-age=31536000
                                                              cf-cache-status: HIT
                                                              last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mB7fAHYyV9ULCn4jkMIQe1g0ZJZ899dWqQQmX4wmvDNrYW14eb%2BFafbuDxtCAlqGT%2BBB%2F8JoEL5JYaBsiuN4WQlUX9CViWpNjmNtjIz32HZs%2Fq5vh2M%2BzFtCnG%2F0PMCifRtDbQ51"}],"group":"cf-nel","max_age":604800}
                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                              Server: cloudflare
                                                              CF-RAY: 9025d1914f23de9a-EWR
                                                              alt-svc: h3=":443"; ma=86400
                                                              server-timing: cfL4;desc="?proto=TCP&rtt=1487&min_rtt=1479&rtt_var=571&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1889967&cwnd=194&unsent_bytes=0&cid=ea6d5517d3e36f8e&ts=382&x=0"
                                                              2025-01-15 12:20:13 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                              Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:07:19:59
                                                              Start date:15/01/2025
                                                              Path:C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe"
                                                              Imagebase:0xe60000
                                                              File size:639'496 bytes
                                                              MD5 hash:9D8BC1BD62DDD6EBE6F9E25A8C73BCA3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1269663136.0000000005D10000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1267082972.0000000004379000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1267082972.00000000043B7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1266311796.0000000003445000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:4
                                                              Start time:07:20:00
                                                              Start date:15/01/2025
                                                              Path:C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\PDF6UU0CVUO2W-YGVUIO.scr.exe"
                                                              Imagebase:0xfc0000
                                                              File size:639'496 bytes
                                                              MD5 hash:9D8BC1BD62DDD6EBE6F9E25A8C73BCA3
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.2515751185.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                              Reputation:low
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:10.6%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:108
                                                                Total number of Limit Nodes:8
                                                                execution_graph 27090 186aed0 27091 186aedf 27090->27091 27093 186b3c1 27090->27093 27094 186b3e1 27093->27094 27095 186b404 27093->27095 27094->27095 27096 186b608 GetModuleHandleW 27094->27096 27095->27091 27097 186b635 27096->27097 27097->27091 26988 59120b8 26989 59120cb 26988->26989 26990 59120ee 26989->26990 26992 5910e84 26989->26992 26993 5910e8f 26992->26993 26994 591232b 26993->26994 26996 5910e94 26993->26996 26994->26990 26997 5910e9f 26996->26997 27001 59196c1 26997->27001 27005 59196d0 26997->27005 26998 59196b7 26998->26994 27002 59196d9 27001->27002 27009 5919708 27002->27009 27003 59196fe 27003->26998 27006 59196d9 27005->27006 27008 5919708 DrawTextExW 27006->27008 27007 59196fe 27007->26998 27008->27007 27010 5919742 27009->27010 27011 5919753 27009->27011 27010->27003 27012 59197e1 27011->27012 27015 5919a31 27011->27015 27020 5919a40 27011->27020 27012->27003 27016 5919a68 27015->27016 27017 5919b6e 27016->27017 27025 591a2d0 27016->27025 27030 591a2c0 27016->27030 27017->27010 27021 5919a68 27020->27021 27022 5919b6e 27021->27022 27023 591a2d0 DrawTextExW 27021->27023 27024 591a2c0 DrawTextExW 27021->27024 27022->27010 27023->27022 27024->27022 27026 591a2e6 27025->27026 27035 591a729 27026->27035 27039 591a738 27026->27039 27027 591a35c 27027->27017 27031 591a2e6 27030->27031 27033 591a729 DrawTextExW 27031->27033 27034 591a738 DrawTextExW 27031->27034 27032 591a35c 27032->27017 27033->27032 27034->27032 27036 591a756 27035->27036 27043 591a778 27035->27043 27048 591a768 27035->27048 27036->27027 27041 591a778 DrawTextExW 27039->27041 27042 591a768 DrawTextExW 27039->27042 27040 591a756 27040->27027 27041->27040 27042->27040 27044 591a7a9 27043->27044 27045 591a7d6 27044->27045 27053 591a7e9 27044->27053 27058 591a7f8 27044->27058 27045->27036 27049 591a7a9 27048->27049 27050 591a7d6 27049->27050 27051 591a7e9 DrawTextExW 27049->27051 27052 591a7f8 DrawTextExW 27049->27052 27050->27036 27051->27050 27052->27050 27055 591a819 27053->27055 27054 591a82e 27054->27045 27055->27054 27063 5919080 27055->27063 27057 591a899 27060 591a819 27058->27060 27059 591a82e 27059->27045 27060->27059 27061 5919080 DrawTextExW 27060->27061 27062 591a899 27061->27062 27065 591908b 27063->27065 27064 591c869 27064->27057 27065->27064 27067 591d3d1 DrawTextExW 27065->27067 27068 591d3e0 DrawTextExW 27065->27068 27066 591c97c 27066->27057 27067->27066 27068->27066 27098 5913088 27100 59130bf 27098->27100 27099 5913218 27100->27099 27103 5915981 27100->27103 27107 5915990 27100->27107 27104 591598a 27103->27104 27105 5910e84 DrawTextExW 27104->27105 27106 59159dc 27105->27106 27106->27099 27108 59159a0 27107->27108 27109 5910e84 DrawTextExW 27108->27109 27110 59159dc 27109->27110 27110->27099 27069 1864668 27070 186467a 27069->27070 27071 1864686 27070->27071 27073 1864778 27070->27073 27074 186479d 27073->27074 27078 1864888 27074->27078 27082 1864878 27074->27082 27080 18648af 27078->27080 27079 186498c 27079->27079 27080->27079 27086 18644f0 27080->27086 27084 18648af 27082->27084 27083 186498c 27083->27083 27084->27083 27085 18644f0 CreateActCtxA 27084->27085 27085->27083 27087 1865918 CreateActCtxA 27086->27087 27089 18659db 27087->27089 27111 186d378 27112 186d3be 27111->27112 27116 186d547 27112->27116 27119 186d558 27112->27119 27113 186d4ab 27122 186b3b0 27116->27122 27120 186b3b0 DuplicateHandle 27119->27120 27121 186d586 27119->27121 27120->27121 27121->27113 27123 186d9c8 DuplicateHandle 27122->27123 27124 186d586 27123->27124 27124->27113

                                                                Executed Functions

                                                                Function 01864204 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1265120646.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1860000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Ppq
                                                                • API String ID: 0-1927884935
                                                                • Opcode ID: bbbb2879a43f40eab6bec606d3e3a4c7e19c87e8623c487ef0daa8f543bf49b5
                                                                • Instruction ID: 906f1609f65c2576b5d05eb9c9a89e931bec8dd351623a4ee1d2678647a4763f
                                                                • Opcode Fuzzy Hash: bbbb2879a43f40eab6bec606d3e3a4c7e19c87e8623c487ef0daa8f543bf49b5
                                                                • Instruction Fuzzy Hash: A5819374E002099FDB55DFA9D984AEDBBF6FF88300F208129E819AB354DB345946CF51
                                                                Function 01867018 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1265120646.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1860000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Ppq
                                                                • API String ID: 0-1927884935
                                                                • Opcode ID: efd45d28a697af7f8f0fbe30092a4f292a6b1ada7f16e264c0be9e928a6df2c4
                                                                • Instruction ID: 3f6276dcaf03511d02358c9247fa2bdf3f3023d6c0047015fc2071f717fdb347
                                                                • Opcode Fuzzy Hash: efd45d28a697af7f8f0fbe30092a4f292a6b1ada7f16e264c0be9e928a6df2c4
                                                                • Instruction Fuzzy Hash: 9A81B374E002099FDB15DFA9D984AEDBBF6FF88310F208129D819AB364DB346946CF51
                                                                Function 0186B3C1 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 640 186b3c1-186b3df 641 186b3e1-186b3ee call 1869f4c 640->641 642 186b40b-186b40f 640->642 648 186b404 641->648 649 186b3f0 641->649 644 186b423-186b464 642->644 645 186b411-186b41b 642->645 651 186b466-186b46e 644->651 652 186b471-186b47f 644->652 645->644 648->642 695 186b3f6 call 186b668 649->695 696 186b3f6 call 186b659 649->696 651->652 653 186b4a3-186b4a5 652->653 654 186b481-186b486 652->654 659 186b4a8-186b4af 653->659 656 186b491 654->656 657 186b488-186b48f call 1869f58 654->657 655 186b3fc-186b3fe 655->648 658 186b540-186b600 655->658 661 186b493-186b4a1 656->661 657->661 690 186b602-186b605 658->690 691 186b608-186b633 GetModuleHandleW 658->691 662 186b4b1-186b4b9 659->662 663 186b4bc-186b4c3 659->663 661->659 662->663 666 186b4c5-186b4cd 663->666 667 186b4d0-186b4d9 call 1869f68 663->667 666->667 671 186b4e6-186b4eb 667->671 672 186b4db-186b4e3 667->672 673 186b4ed-186b4f4 671->673 674 186b509-186b516 671->674 672->671 673->674 676 186b4f6-186b506 call 1869f78 call 186afbc 673->676 681 186b518-186b536 674->681 682 186b539-186b53f 674->682 676->674 681->682 690->691 692 186b635-186b63b 691->692 693 186b63c-186b650 691->693 692->693 695->655 696->655
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0186B626
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1265120646.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1860000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: badc9d884b7371b6450c51ebcf5776c6c6c4f1ac47f2d8f9d1cec3472a3272f1
                                                                • Instruction ID: 3f169e6050ce59d95fb0a0922c657471841eeff7b723f0476bf598975d9ca804
                                                                • Opcode Fuzzy Hash: badc9d884b7371b6450c51ebcf5776c6c6c4f1ac47f2d8f9d1cec3472a3272f1
                                                                • Instruction Fuzzy Hash: 64815770A00B058FE725DF69D55479ABBF5FF88308F00892EE58ADBA50D734E905CB91
                                                                Function 018644F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 697 18644f0-18659d9 CreateActCtxA 700 18659e2-1865a3c 697->700 701 18659db-18659e1 697->701 708 1865a3e-1865a41 700->708 709 1865a4b-1865a4f 700->709 701->700 708->709 710 1865a60 709->710 711 1865a51-1865a5d 709->711 713 1865a61 710->713 711->710 713->713
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 018659C9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1265120646.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1860000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: c4ba261207164f34efac74f04a5f6bd5fda09039ac4f93e64cdebe1f9b58820d
                                                                • Instruction ID: 8287299752ecc8900c791cecaafd3d417ee7d8d8aa54f8d93317e6700520d108
                                                                • Opcode Fuzzy Hash: c4ba261207164f34efac74f04a5f6bd5fda09039ac4f93e64cdebe1f9b58820d
                                                                • Instruction Fuzzy Hash: 504190B1C0071DCBEB24DFAAD884B9DBBF5BF49304F20816AD508AB251DB755945CF90
                                                                Function 0186590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 714 186590c-18659d9 CreateActCtxA 716 18659e2-1865a3c 714->716 717 18659db-18659e1 714->717 724 1865a3e-1865a41 716->724 725 1865a4b-1865a4f 716->725 717->716 724->725 726 1865a60 725->726 727 1865a51-1865a5d 725->727 729 1865a61 726->729 727->726 729->729
                                                                APIs
                                                                • CreateActCtxA.KERNEL32(?), ref: 018659C9
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1265120646.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1860000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: 4028db97c6a73a179ceb2dac4985f1c31b1133effe29634d4616a419c34c1f4f
                                                                • Instruction ID: c095e816da84717f6ac2960394bbb965d4ce1490c7b57fdf09b8e64f88d6fff6
                                                                • Opcode Fuzzy Hash: 4028db97c6a73a179ceb2dac4985f1c31b1133effe29634d4616a419c34c1f4f
                                                                • Instruction Fuzzy Hash: 8341BFB1C01719CBEB24DFA9D885BDDBBF5BF49304F20806AD808AB251DB796946CF50
                                                                Function 0591D509 Relevance: 1.6, APIs: 1, Instructions: 77COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 730 591d509-591d51d 731 591d4ac-591d4bc DrawTextExW 730->731 732 591d51f-591d530 730->732 735 591d4c5-591d4e2 731->735 736 591d4be-591d4c4 731->736 733 591d532-591d536 732->733 734 591d574-591d57a 732->734 739 591d541-591d545 733->739 740 591d538-591d53f 733->740 737 591d58d-591d591 734->737 738 591d57c-591d57e 734->738 736->735 742 591d580-591d584 738->742 743 591d586 738->743 745 591d547-591d54e 739->745 746 591d55c-591d571 739->746 740->734 740->739 742->737 742->743 743->737 745->746 747 591d550-591d55a 745->747 746->734 747->734 747->746
                                                                APIs
                                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0591D3FD,?,?), ref: 0591D4AF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1268821003.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5910000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: DrawText
                                                                • String ID:
                                                                • API String ID: 2175133113-0
                                                                • Opcode ID: 266cbfa2f419b26075b2e483ec0f4b256ed0c215f296d3aa16d3784b6ec65614
                                                                • Instruction ID: e441ea05cdeeeca6862e93305379dcc7cbf52b1e096c028bed519cd3c0fb5c1f
                                                                • Opcode Fuzzy Hash: 266cbfa2f419b26075b2e483ec0f4b256ed0c215f296d3aa16d3784b6ec65614
                                                                • Instruction Fuzzy Hash: 132160B2A087544FEB328B6AD444776FFF9AF41228F0DC16BD88AC7552C638D509CB58
                                                                Function 0591D410 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 750 591d410-591d464 752 591d466-591d46c 750->752 753 591d46f-591d47e 750->753 752->753 754 591d480 753->754 755 591d483-591d489 753->755 754->755 756 591d48c-591d4bc DrawTextExW 755->756 757 591d4c5-591d4e2 756->757 758 591d4be-591d4c4 756->758 758->757
                                                                APIs
                                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0591D3FD,?,?), ref: 0591D4AF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1268821003.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5910000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: DrawText
                                                                • String ID:
                                                                • API String ID: 2175133113-0
                                                                • Opcode ID: fdbf4c9c77772d3137e639cb527d7d1cad55d533550708c52997201f3983fe23
                                                                • Instruction ID: 8a22e03ce0451d9368b31e3fd8d3353531a51db83c9d4828348218f44736e202
                                                                • Opcode Fuzzy Hash: fdbf4c9c77772d3137e639cb527d7d1cad55d533550708c52997201f3983fe23
                                                                • Instruction Fuzzy Hash: 4231E2B5D003199FDB10CF9AD884AEEBBF9FB48310F14842AE919A7350D775A944CFA4
                                                                Function 0591C04C Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 761 591c04c-591d464 763 591d466-591d46c 761->763 764 591d46f-591d47e 761->764 763->764 765 591d480 764->765 766 591d483-591d4bc DrawTextExW 764->766 765->766 768 591d4c5-591d4e2 766->768 769 591d4be-591d4c4 766->769 769->768
                                                                APIs
                                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0591D3FD,?,?), ref: 0591D4AF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1268821003.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5910000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: DrawText
                                                                • String ID:
                                                                • API String ID: 2175133113-0
                                                                • Opcode ID: de0508bddf3aa2c926a18fb01fbe1b469a28b0c0e088bc1904cc4ef384f8790a
                                                                • Instruction ID: b5b221c845b522e63d31136f22c3be29697b72c59d70ffe4114fdbd35f2baa7e
                                                                • Opcode Fuzzy Hash: de0508bddf3aa2c926a18fb01fbe1b469a28b0c0e088bc1904cc4ef384f8790a
                                                                • Instruction Fuzzy Hash: 3A31DFB5D0031D9FDB10CF9AD884AAEBBF9FB48310F14842AE919A7350D774A944CFA4
                                                                Function 0186B3B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 772 186b3b0-186da5c DuplicateHandle 774 186da65-186da82 772->774 775 186da5e-186da64 772->775 775->774
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0186D586,?,?,?,?,?), ref: 0186DA4F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1265120646.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1860000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: d437555468152f584df821ab2dfcf81fcf71fe5fc04df070a625ec82cb98d8cc
                                                                • Instruction ID: 0bbe5b758d57a52b5537996eda34d508def0f7c10c0405f92e6a4f8e17d5c420
                                                                • Opcode Fuzzy Hash: d437555468152f584df821ab2dfcf81fcf71fe5fc04df070a625ec82cb98d8cc
                                                                • Instruction Fuzzy Hash: EB21E5B5D04248DFDB10CFAAD884AEEBBF9EB48314F14841AE954A7350D374A944CFA5
                                                                Function 0186D9C1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 778 186d9c1-186da5c DuplicateHandle 779 186da65-186da82 778->779 780 186da5e-186da64 778->780 780->779
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0186D586,?,?,?,?,?), ref: 0186DA4F
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1265120646.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1860000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: c086467c3bfd4a8e92d3b94234585ff24039627939f5aa0932b3b353a3bb2370
                                                                • Instruction ID: f532925201257c475186d4559c0973f91deb9f395b023604b7a8ea6c41ce3b6f
                                                                • Opcode Fuzzy Hash: c086467c3bfd4a8e92d3b94234585ff24039627939f5aa0932b3b353a3bb2370
                                                                • Instruction Fuzzy Hash: B22112B5D00248DFDB10CFA9D984AEEBBF4FB48310F14841AE958A3350C338AA54CFA4
                                                                Function 0186B5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0186B626
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1265120646.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1860000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: HandleModule
                                                                • String ID:
                                                                • API String ID: 4139908857-0
                                                                • Opcode ID: 89c3c7525f51cffd3f6284ddc9ec274d440eeff63e9152e2c9eb48737ab61c96
                                                                • Instruction ID: 14eb99f4a46be50b561de27996ef3cf15f619758d6e0a6cb37840f8562863e36
                                                                • Opcode Fuzzy Hash: 89c3c7525f51cffd3f6284ddc9ec274d440eeff63e9152e2c9eb48737ab61c96
                                                                • Instruction Fuzzy Hash: EB11DFB6D002498FDB24DF9AD844ADEFBF8AF88314F10841AD519A7610C379A645CFA5
                                                                Function 0591D4F0 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0591D3FD,?,?), ref: 0591D4AF
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1268821003.0000000005910000.00000040.00000800.00020000.00000000.sdmp, Offset: 05910000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_5910000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: DrawText
                                                                • String ID:
                                                                • API String ID: 2175133113-0
                                                                • Opcode ID: 7c0ccf19f4f63e9a281f3f190a883007a2f41a04acb13e317757f7f111522d95
                                                                • Instruction ID: 64d8ab0def1e2ef10d036dae5d4f6e986b9102a9cbd7dd02db92e7f1cb28d8ed
                                                                • Opcode Fuzzy Hash: 7c0ccf19f4f63e9a281f3f190a883007a2f41a04acb13e317757f7f111522d95
                                                                • Instruction Fuzzy Hash: CE01A2728043589FEF118F98E804BDDBBF5EF54318F24841BE5149B290C3755445CB54
                                                                Function 0150D3D8 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1264665830.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_150d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3e2f91bb9166ee315400ece8557edc5ca7002e613bd37a6406893df696dfc00b
                                                                • Instruction ID: 3a7776db7f5efc0c6e5b864f14156ca686961bfff5f17b7d20174c6bb182dd7c
                                                                • Opcode Fuzzy Hash: 3e2f91bb9166ee315400ece8557edc5ca7002e613bd37a6406893df696dfc00b
                                                                • Instruction Fuzzy Hash: DE212871504204DFDB16DFD4D9C0B5ABBB5FB84324F20C56DE9090F296C376E456CAA2
                                                                Function 0150D4C4 Relevance: .1, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1264665830.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_150d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9ff59fec58589f9d33b5b52595db0c614eb93aaac8247f34714cf8b0b1750dac
                                                                • Instruction ID: 96701498cbe35d8785a8d17b549051683acd51b4942e327c5645a0dbf6d8047e
                                                                • Opcode Fuzzy Hash: 9ff59fec58589f9d33b5b52595db0c614eb93aaac8247f34714cf8b0b1750dac
                                                                • Instruction Fuzzy Hash: FA21A171504244EFDB16DFD4D9C0B2ABBB5FB88318F248569ED090F296C336D456CAA2
                                                                Function 0181D1D4 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1264938470.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_181d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0d549bb6839f894e334b48001f06fac35cba165ae0dbfb157d8c1084b3ebb816
                                                                • Instruction ID: f413ffe8ab49ce41cd950596709b2acea352ea9a631f53fce8b242fe57eb0fe9
                                                                • Opcode Fuzzy Hash: 0d549bb6839f894e334b48001f06fac35cba165ae0dbfb157d8c1084b3ebb816
                                                                • Instruction Fuzzy Hash: 76216772904304EFDB01DF94D5C8B55BBA9FB84328F20C76DE8098F24AC336E506CA61
                                                                Function 0181D01C Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1264938470.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_181d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 50300a245969d713d1a10bff92c077e6768fdece5364c217d34b5b9d58385b86
                                                                • Instruction ID: e566589c2b3f1211bdb5c2615b95040ca77ea629b1e9468540ee698030edf7b1
                                                                • Opcode Fuzzy Hash: 50300a245969d713d1a10bff92c077e6768fdece5364c217d34b5b9d58385b86
                                                                • Instruction Fuzzy Hash: AD212576504304EFDB15DF64D9C8B16BBA9FB84314F20C66DE80A8B24AC33BD547CA62
                                                                Function 0150D3D3 Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1264665830.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_150d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                • Instruction ID: daed8456aaa24d0387c31866c07534ff5ff45691552f33677dac208bb4418f1a
                                                                • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                • Instruction Fuzzy Hash: 7711CD72404240CFCB12CF94D5C4B5ABF71FB84324F2486A9D9090F656C33AE456CBA1
                                                                Function 0150D4BF Relevance: .1, Instructions: 56COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1264665830.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_150d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                • Instruction ID: 628e4d0c002e014bfdea50ada13a3aee76e0f2ba75f97470f009738c41bf9fa7
                                                                • Opcode Fuzzy Hash: b6c069b3d400d01fa3022dda7a4192202465086b1da4fe746ff97b9e65d68317
                                                                • Instruction Fuzzy Hash: 00119D76504280CFCB16CF94D5C4B1ABF71FB88318F2486A9DD490F696C33AD45ACBA1
                                                                Function 0181D017 Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1264938470.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_181d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                • Instruction ID: 97f16010e23216c89b232ed0eda8441bb1137efb65773e876825fb2a0883a5c5
                                                                • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                • Instruction Fuzzy Hash: 5F11BE76504280CFCB12CF54D5C8B15BBA1FB44314F24C6A9D8098B65AC33BD54ACB62
                                                                Function 0181D1CF Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1264938470.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_181d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                • Instruction ID: 6a644054baf50e8b8fb2c4b4d3a02bed7ac0b3aa43fe76039285f52ea55911a4
                                                                • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                • Instruction Fuzzy Hash: A111BB76504280DFCB12CF54D5C8B15BBA2FB84324F24C6A9D8498B69AC33AE40ACB61

                                                                Non-executed Functions

                                                                Function 0186D8EC Relevance: .3, Instructions: 264COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.1265120646.0000000001860000.00000040.00000800.00020000.00000000.sdmp, Offset: 01860000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_1860000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 16a185748f00c37acd9d6af9190f10f00cdb358a74354d28548ac1e997de6c05
                                                                • Instruction ID: c9d6aa30859ce6e57c7f3285cf4bd897d0594c696723617a4b89fe7961142e67
                                                                • Opcode Fuzzy Hash: 16a185748f00c37acd9d6af9190f10f00cdb358a74354d28548ac1e997de6c05
                                                                • Instruction Fuzzy Hash: 09A18232E002098FCF05DFB8D85459EBBF6FF85301B15856AE905EB265DB71EA46CB40

                                                                Execution Graph

                                                                Execution Coverage:12.5%
                                                                Dynamic/Decrypted Code Coverage:100%
                                                                Signature Coverage:15.6%
                                                                Total number of Nodes:77
                                                                Total number of Limit Nodes:13
                                                                execution_graph 31238 5a213a8 31239 5a213af 31238->31239 31241 5a213b5 31238->31241 31239->31241 31243 5a21736 31239->31243 31244 5a20ab8 31239->31244 31242 5a20ab8 2 API calls 31242->31243 31243->31241 31243->31242 31245 5a20aca 31244->31245 31246 5a20acf 31244->31246 31245->31243 31246->31245 31247 5a20d18 LdrInitializeThunk 31246->31247 31250 5a20da9 31247->31250 31248 5a20e69 31248->31243 31249 5a211f9 LdrInitializeThunk 31249->31248 31250->31248 31250->31249 31251 18546d8 31252 18546e4 31251->31252 31255 1859249 31252->31255 31253 1854713 31256 1859264 31255->31256 31266 1859480 31256->31266 31273 185946f 31256->31273 31257 1859270 31280 5a25aca 31257->31280 31284 5a25ad8 31257->31284 31258 185929a 31288 5a2f000 31258->31288 31292 5a2eff0 31258->31292 31259 18592e7 31259->31253 31267 18594a2 31266->31267 31268 185956e 31267->31268 31271 5a20ab8 2 API calls 31267->31271 31296 5a20cd8 31267->31296 31304 5a210bc 31267->31304 31310 5a20aa8 31267->31310 31268->31257 31271->31268 31274 18594a2 31273->31274 31275 185956e 31274->31275 31276 5a20cd8 4 API calls 31274->31276 31277 5a20aa8 4 API calls 31274->31277 31278 5a20ab8 2 API calls 31274->31278 31279 5a210bc 3 API calls 31274->31279 31275->31257 31276->31275 31277->31275 31278->31275 31279->31275 31281 5a25afa 31280->31281 31282 5a20cd8 4 API calls 31281->31282 31283 5a25c0c 31281->31283 31282->31283 31283->31258 31285 5a25afa 31284->31285 31286 5a20cd8 4 API calls 31285->31286 31287 5a25c0c 31285->31287 31286->31287 31287->31258 31289 5a2f022 31288->31289 31290 5a20cd8 4 API calls 31289->31290 31291 5a2f0ec 31289->31291 31290->31291 31291->31259 31293 5a2f022 31292->31293 31294 5a20cd8 4 API calls 31293->31294 31295 5a2f0ec 31293->31295 31294->31295 31295->31259 31297 5a20d09 LdrInitializeThunk 31296->31297 31300 5a20da9 31297->31300 31299 5a20e69 31299->31268 31300->31299 31301 5a210b4 LdrInitializeThunk 31300->31301 31303 5a20ab8 2 API calls 31300->31303 31301->31299 31303->31300 31305 5a20f73 31304->31305 31306 5a210b4 LdrInitializeThunk 31305->31306 31309 5a20ab8 2 API calls 31305->31309 31308 5a21211 31306->31308 31308->31268 31309->31305 31312 5a20ab8 31310->31312 31311 5a20aca 31311->31268 31312->31311 31313 5a20d18 LdrInitializeThunk 31312->31313 31318 5a20da9 31313->31318 31314 5a20e69 31314->31268 31315 5a210b4 LdrInitializeThunk 31315->31314 31317 5a20ab8 2 API calls 31317->31318 31318->31314 31318->31315 31318->31317 31319 5ff9ad0 DuplicateHandle 31320 5ff9b66 31319->31320 31321 5ff9480 31322 5ff94c6 GetCurrentProcess 31321->31322 31324 5ff9518 GetCurrentThread 31322->31324 31326 5ff9511 31322->31326 31325 5ff9555 GetCurrentProcess 31324->31325 31327 5ff954e 31324->31327 31330 5ff958b 31325->31330 31326->31324 31327->31325 31328 5ff95b3 GetCurrentThreadId 31329 5ff95e4 31328->31329 31330->31328

                                                                Executed Functions

                                                                Function 0185C530 Relevance: 4.3, Strings: 1, Instructions: 3069COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: N
                                                                • API String ID: 0-1130791706
                                                                • Opcode ID: 74f9d06461fbe6815f9538c3f714d428aeab390dddab9c9729604018580907ba
                                                                • Instruction ID: 73d15dd9caf705a6a18c2bfb884d9dccab64276508809f11a94b36669365d210
                                                                • Opcode Fuzzy Hash: 74f9d06461fbe6815f9538c3f714d428aeab390dddab9c9729604018580907ba
                                                                • Instruction Fuzzy Hash: 6073D631D1075A8EDB11EF68C944A99FBB1FF99300F51C6DAE4586B221EB70AAC4CF41
                                                                Function 05A20AB8 Relevance: 3.5, APIs: 2, Instructions: 529libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2234 5a20ab8-5a20ac8 2235 5a20aca 2234->2235 2236 5a20acf-5a20adb 2234->2236 2237 5a20bfb-5a20c05 2235->2237 2239 5a20ae2-5a20af7 2236->2239 2240 5a20add 2236->2240 2243 5a20c0b-5a20c4b 2239->2243 2244 5a20afd-5a20b08 2239->2244 2240->2237 2259 5a20c52-5a20cc8 2243->2259 2247 5a20c06 2244->2247 2248 5a20b0e-5a20b15 2244->2248 2247->2243 2250 5a20b42-5a20b4d 2248->2250 2251 5a20b17-5a20b2e 2248->2251 2255 5a20b5a-5a20b64 2250->2255 2256 5a20b4f-5a20b57 2250->2256 2251->2259 2260 5a20b34-5a20b37 2251->2260 2265 5a20b6a-5a20b74 2255->2265 2266 5a20bee-5a20bf3 2255->2266 2256->2255 2292 5a20cca-5a20d07 2259->2292 2293 5a20d18-5a20da4 LdrInitializeThunk 2259->2293 2260->2247 2264 5a20b3d-5a20b40 2260->2264 2264->2250 2264->2251 2265->2247 2271 5a20b7a-5a20b96 2265->2271 2266->2237 2276 5a20b9a-5a20b9d 2271->2276 2277 5a20b98 2271->2277 2279 5a20ba4-5a20ba7 2276->2279 2280 5a20b9f-5a20ba2 2276->2280 2277->2237 2281 5a20baa-5a20bb8 2279->2281 2280->2281 2281->2247 2285 5a20bba-5a20bc1 2281->2285 2285->2237 2286 5a20bc3-5a20bc9 2285->2286 2286->2247 2288 5a20bcb-5a20bd0 2286->2288 2288->2247 2289 5a20bd2-5a20be5 2288->2289 2289->2247 2295 5a20be7-5a20bea 2289->2295 2296 5a20d09 2292->2296 2297 5a20d0e-5a20d15 2292->2297 2294 5a20e43-5a20e49 2293->2294 2298 5a20da9-5a20dbc 2294->2298 2299 5a20e4f-5a20e67 2294->2299 2295->2286 2300 5a20bec 2295->2300 2296->2297 2297->2293 2303 5a20dc3-5a20e14 2298->2303 2304 5a20dbe 2298->2304 2301 5a20e7b-5a20e8e 2299->2301 2302 5a20e69-5a20e76 2299->2302 2300->2237 2306 5a20e90 2301->2306 2307 5a20e95-5a20eb1 2301->2307 2305 5a21211-5a2130f 2302->2305 2320 5a20e16-5a20e24 2303->2320 2321 5a20e27-5a20e39 2303->2321 2304->2303 2312 5a21311-5a21316 2305->2312 2313 5a21317-5a21321 2305->2313 2306->2307 2309 5a20eb3 2307->2309 2310 5a20eb8-5a20edc 2307->2310 2309->2310 2316 5a20ee3-5a20f15 2310->2316 2317 5a20ede 2310->2317 2312->2313 2326 5a20f17 2316->2326 2327 5a20f1c-5a20f5e 2316->2327 2317->2316 2320->2299 2323 5a20e40 2321->2323 2324 5a20e3b 2321->2324 2323->2294 2324->2323 2326->2327 2329 5a20f60 2327->2329 2330 5a20f65-5a20f6e 2327->2330 2329->2330 2331 5a21196-5a2119c 2330->2331 2332 5a211a2-5a211b5 2331->2332 2333 5a20f73-5a20f98 2331->2333 2336 5a211b7 2332->2336 2337 5a211bc-5a211d7 2332->2337 2334 5a20f9a 2333->2334 2335 5a20f9f-5a20fd6 2333->2335 2334->2335 2345 5a20fd8 2335->2345 2346 5a20fdd-5a2100f 2335->2346 2336->2337 2338 5a211d9 2337->2338 2339 5a211de-5a211f2 2337->2339 2338->2339 2342 5a211f4 2339->2342 2343 5a211f9-5a2120f LdrInitializeThunk 2339->2343 2342->2343 2343->2305 2345->2346 2348 5a21073-5a21086 2346->2348 2349 5a21011-5a21036 2346->2349 2352 5a21088 2348->2352 2353 5a2108d-5a210b2 2348->2353 2350 5a21038 2349->2350 2351 5a2103d-5a2106b 2349->2351 2350->2351 2351->2348 2352->2353 2356 5a210c1-5a210f9 2353->2356 2357 5a210b4-5a210b5 2353->2357 2358 5a21100-5a21161 call 5a20ab8 2356->2358 2359 5a210fb 2356->2359 2357->2332 2365 5a21163 2358->2365 2366 5a21168-5a2118c 2358->2366 2359->2358 2365->2366 2369 5a21193 2366->2369 2370 5a2118e 2366->2370 2369->2331 2370->2369
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 2fdc529f2577b1b2faf1e5eb117573625e327428779b4aade77fb107ad46285c
                                                                • Instruction ID: 362900bffa727df5b30eb807efe84ff2745b3b0962948fc6d0a4b72cebd598f1
                                                                • Opcode Fuzzy Hash: 2fdc529f2577b1b2faf1e5eb117573625e327428779b4aade77fb107ad46285c
                                                                • Instruction Fuzzy Hash: 1C222B74E002298FDB14DFA9C989B9DBBF2BF84304F1481A9D409AB355DB349D86CF50
                                                                Function 018527B9 Relevance: 3.1, Strings: 2, Instructions: 594COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2802 18527b9-18527e4 2803 1852805-1852858 2802->2803 2804 18527e6-1852804 2802->2804 2806 185287a-18528f0 2803->2806 2807 185285a-1852878 2803->2807 2804->2803 2808 1852912-1852918 2806->2808 2809 18528f2-1852910 2806->2809 2807->2806 2810 185293c 2808->2810 2811 185291a-1852934 2808->2811 2809->2808 2814 185295e-185297c 2810->2814 2815 185293e-1852951 2810->2815 2812 1852956-185295c 2811->2812 2813 1852936-185293a 2811->2813 2812->2814 2813->2810 2816 185299e-18529a0 2814->2816 2817 185297e-1852980 2814->2817 2815->2812 2818 18529a2-18529a4 2816->2818 2817->2818 2819 1852982-1852984 2817->2819 2820 18529a6-18529a8 2818->2820 2819->2820 2821 1852986-1852988 2819->2821 2822 18529aa-1852a54 2820->2822 2821->2822 2823 185298a-185299d 2821->2823 2825 1852a56-1852a77 2822->2825 2826 1852a79-1852b38 2822->2826 2823->2816 2825->2826 2827 1852b5d-1852c50 2826->2827 2828 1852b3a-1852b5b 2826->2828 2829 1852c77-1852ca1 2827->2829 2830 1852c52-1852c72 2827->2830 2828->2827 2833 1852ca3-1852ca5 2829->2833 2834 1852cb2-1852cba 2829->2834 2830->2829 2835 1852ca7-1852ca9 2833->2835 2836 1852cab-1852cb0 2833->2836 2837 1852cbc-1852cca 2834->2837 2835->2837 2836->2837 2840 1852ce0-1852ce8 2837->2840 2841 1852ccc-1852cce 2837->2841 2845 1852ceb-1852cee 2840->2845 2842 1852cd7-1852cde 2841->2842 2843 1852cd0-1852cd5 2841->2843 2842->2845 2843->2845 2846 1852d05-1852d09 2845->2846 2847 1852cf0-1852cfe 2845->2847 2848 1852d22-1852d25 2846->2848 2849 1852d0b-1852d19 2846->2849 2847->2846 2853 1852d00 2847->2853 2851 1852d27-1852d2b 2848->2851 2852 1852d2d-1852d62 2848->2852 2849->2848 2859 1852d1b 2849->2859 2851->2852 2855 1852d64-1852d7b 2851->2855 2860 1852dc4-1852dc9 2852->2860 2853->2846 2857 1852d81-1852d8d 2855->2857 2858 1852d7d-1852d7f 2855->2858 2861 1852d97-1852da1 2857->2861 2862 1852d8f-1852d95 2857->2862 2858->2860 2859->2848 2864 1852da9 2861->2864 2865 1852da3 2861->2865 2862->2864 2867 1852db1-1852dbd 2864->2867 2865->2864 2867->2860
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Xq$Xq
                                                                • API String ID: 0-1556399337
                                                                • Opcode ID: 6e59553bfda9e7075eb1ddf16c0287527c030c56e753ad011c1452f27e0e5f83
                                                                • Instruction ID: 2e3e351ec9442736784fa2103bfc6f427af06cd51ff3cacb0f5728e9fee49538
                                                                • Opcode Fuzzy Hash: 6e59553bfda9e7075eb1ddf16c0287527c030c56e753ad011c1452f27e0e5f83
                                                                • Instruction Fuzzy Hash: 78324C31546796CFC7174F78C5567C677F2EF2A218B2804ECEC91CA06AEB6644A3EB04
                                                                Function 01852DD1 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2870 1852dd1-1852ded 2871 1852df6-1852e06 2870->2871 2872 1852def-1852df1 2870->2872 2874 1852e0d-1852e1d 2871->2874 2875 1852e08 2871->2875 2873 1853094-185309b 2872->2873 2877 1852e23-1852e31 2874->2877 2878 185307b-1853089 2874->2878 2875->2873 2881 1852e37 2877->2881 2882 185309c-1853119 2877->2882 2878->2882 2883 185308b-185308f call 18502a8 2878->2883 2881->2882 2884 1852f67-1852f8f 2881->2884 2885 1853001-185302d 2881->2885 2886 1852ea2-1852ec3 2881->2886 2887 185304c-185306d call 18518c8 2881->2887 2888 185302f-185304a call 18502b8 2881->2888 2889 185306f-1853079 2881->2889 2890 1852eee-1852f0f 2881->2890 2891 1852ec8-1852ee9 2881->2891 2892 1852e55-1852e76 2881->2892 2893 1852f14-1852f35 2881->2893 2894 1852f94-1852fd1 2881->2894 2895 1852fd6-1852ffc 2881->2895 2896 1852e3e-1852e50 2881->2896 2897 1852e7b-1852e9d 2881->2897 2898 1852f3a-1852f62 2881->2898 2883->2873 2884->2873 2885->2873 2886->2873 2887->2873 2888->2873 2889->2873 2890->2873 2891->2873 2892->2873 2893->2873 2894->2873 2895->2873 2896->2873 2897->2873 2898->2873
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Xq$$q
                                                                • API String ID: 0-855381642
                                                                • Opcode ID: d2a3727053ea7a56c078ce99f2a7fa522796c9792d7a360cc206420ca20b92a8
                                                                • Instruction ID: 967a9b39fa1c1bb14fcb0ca18987ad8904a6e7a6fa92b081f5912c59dd8489aa
                                                                • Opcode Fuzzy Hash: d2a3727053ea7a56c078ce99f2a7fa522796c9792d7a360cc206420ca20b92a8
                                                                • Instruction Fuzzy Hash: EC919431F00318DFDB98DB75985927EBBB7BFC8350B04845DE906D7288DE3589028B91
                                                                Function 05A20CD8 Relevance: 1.6, APIs: 1, Instructions: 88libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 336154f00c1f123838da8ac29e0edab175c850d43f417cabea5e7f244589f3c7
                                                                • Instruction ID: d185fee7fb9f5a4c99be6097cfeceeda196b597332d9c6d8b5a088d6ae5f584d
                                                                • Opcode Fuzzy Hash: 336154f00c1f123838da8ac29e0edab175c850d43f417cabea5e7f244589f3c7
                                                                • Instruction Fuzzy Hash: 9731E8B1D016189BEB18CFAAD988BDDFBF2BF88314F14C16AD418A72A4DB704945CF10
                                                                Function 05FF60D8 Relevance: .7, Instructions: 709COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2436d98a7df1774a29a4a1264ff80c00260426e23f9ab51b0e922cff685622cd
                                                                • Instruction ID: 7240cf64238c6bdcde85c459eebae1892811de388e6047af1d70fa3f943fc3ac
                                                                • Opcode Fuzzy Hash: 2436d98a7df1774a29a4a1264ff80c00260426e23f9ab51b0e922cff685622cd
                                                                • Instruction Fuzzy Hash: 0572CE74E052298FDB64DF69C984BEDBBB2BF49300F1481E9D509AB265DB349E81CF40
                                                                Function 05A25AD8 Relevance: .3, Instructions: 296COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: f2aa4d3aa0cc011f5b2a6aae946c4862abdf4be5bab930f062bce5d8cdd1e10e
                                                                • Instruction ID: 27e2e16164723ac57597618d5726cb9c1580252e086bc5542b7c9757afbacbd5
                                                                • Opcode Fuzzy Hash: f2aa4d3aa0cc011f5b2a6aae946c4862abdf4be5bab930f062bce5d8cdd1e10e
                                                                • Instruction Fuzzy Hash: 6EE1B074E01218CFEB64DFA9C944B9DBBB2BF89300F2081A9D409AB394DB755E85CF51
                                                                Function 05A2F000 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d98962f25b285a9b746eb8a2964383993b8c489a7d27c3671abee51338e3feff
                                                                • Instruction ID: 8124c0e32c557f575d2eafea80c80fd69c0325c28b004c60f9e824d87f9ba907
                                                                • Opcode Fuzzy Hash: d98962f25b285a9b746eb8a2964383993b8c489a7d27c3671abee51338e3feff
                                                                • Instruction Fuzzy Hash: F4C18074E00218CFDB14DFA9C955BADBBB2FB89300F2081A9D809AB355DB359E85CF50
                                                                Function 01859480 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 27217b603bf94306fc2865f14bb20d119784a17cabaed9e368cbddeeff3efc04
                                                                • Instruction ID: 8eb89fb2e56a6e01f799e80b9c175a7f8c924b30f8c0092c0d595c33472a48b9
                                                                • Opcode Fuzzy Hash: 27217b603bf94306fc2865f14bb20d119784a17cabaed9e368cbddeeff3efc04
                                                                • Instruction Fuzzy Hash: 84C19074E00218CFDB64DFA5D954BADBBB2FB88304F1081A9D809AB355DB35AE85CF50
                                                                Function 0185C521 Relevance: .2, Instructions: 223COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 8ddec6a6d23844b1c5dbad97490cadd32f77e4b627326c4a3c8e8054ef11b08a
                                                                • Instruction ID: fd866d048b9c2bfbcb1e9fdd27fa3d4d2e9ac0e48683ed5460cbe0be6f502aa0
                                                                • Opcode Fuzzy Hash: 8ddec6a6d23844b1c5dbad97490cadd32f77e4b627326c4a3c8e8054ef11b08a
                                                                • Instruction Fuzzy Hash: E1A11571D007198EDB11DFA9C8847DDFBB5EF89304F10C2AAE418AB261EB709A85CF41
                                                                Function 01859A30 Relevance: .2, Instructions: 220COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 706b9fcb4f27fad53f6a918a7fa9f9369edd8f7c6073052ff749dd42dbbf41cd
                                                                • Instruction ID: 798bdefa32a2eed1114a40cd16c1776b6e876af48e58d55f8baa3c5c5b8b25a3
                                                                • Opcode Fuzzy Hash: 706b9fcb4f27fad53f6a918a7fa9f9369edd8f7c6073052ff749dd42dbbf41cd
                                                                • Instruction Fuzzy Hash: F8A1E470D00208CFEB24DFA9C5887DDBBB1FF88304F248269E509AB295DB749A85CF55
                                                                Function 01859A40 Relevance: .2, Instructions: 220COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0d24f5ab7679fbad7eb3bbd36522b72db0783f143d0a127497242f696fd714a8
                                                                • Instruction ID: 3a7279e5337760a80c733275d132ebe41daed03b9fceb4c1f7fd419a00c6a496
                                                                • Opcode Fuzzy Hash: 0d24f5ab7679fbad7eb3bbd36522b72db0783f143d0a127497242f696fd714a8
                                                                • Instruction Fuzzy Hash: 6FA1F570D00208CFEB24DFA9C5887DDBBB1FF48314F248269E509AB295DB749A85CF55
                                                                Function 01859D87 Relevance: .2, Instructions: 202COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: bf24aa24e8e8486e3b1abfed3c01855c9ed7d2d69eecb40ed610982ac3422d4b
                                                                • Instruction ID: 06f59ebc172edad3531c5e4e9d4c2cd8fe097b8ad79d8c45f51c8b6092e12889
                                                                • Opcode Fuzzy Hash: bf24aa24e8e8486e3b1abfed3c01855c9ed7d2d69eecb40ed610982ac3422d4b
                                                                • Instruction Fuzzy Hash: 4F91F370D00208CFEB60DFA8C588BDCBBB1FF49315F248259E409AB291DB749A85CF55
                                                                Function 0185946F Relevance: .1, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b4e1bb0a59cc3445093ab53d2de814ecea86e8d9d405d5e51469d88dbbb7c64d
                                                                • Instruction ID: 1230d197e9d43093851ec0a580f2fd05b79c3590c18ec4ab2a80cff664d58477
                                                                • Opcode Fuzzy Hash: b4e1bb0a59cc3445093ab53d2de814ecea86e8d9d405d5e51469d88dbbb7c64d
                                                                • Instruction Fuzzy Hash: 4B41B274E00208CBEB58CFAAD55469EBBF2EF88304F24D12AD819AB259DB385945CF54
                                                                Function 0185B500 Relevance: 6.6, Strings: 5, Instructions: 386COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1069 185b500-185b509 1070 185b512-185b515 1069->1070 1071 185b50b-185b510 1069->1071 1073 185b517-185b51c 1070->1073 1074 185b51e-185b521 1070->1074 1072 185b54a-185b54d 1071->1072 1073->1072 1075 185b523-185b528 1074->1075 1076 185b52a-185b52d 1074->1076 1075->1072 1077 185b536-185b539 1076->1077 1078 185b52f-185b534 1076->1078 1079 185b542-185b545 1077->1079 1080 185b53b-185b540 1077->1080 1078->1072 1081 185b547 1079->1081 1082 185b54e-185b5be 1079->1082 1080->1072 1081->1072 1089 185b5c3-185b5d2 call 185b4a8 1082->1089 1092 185b5d4-185b5ef 1089->1092 1093 185b61b-185b61e 1089->1093 1092->1093 1103 185b5f1-185b5f5 1092->1103 1094 185b634-185b640 1093->1094 1095 185b620-185b626 1093->1095 1101 185b667-185b668 1094->1101 1102 185b642-185b663 1094->1102 1095->1089 1097 185b628 1095->1097 1099 185b62a-185b631 1097->1099 1105 185b66f-185b675 1101->1105 1106 185b66a-185b66d 1101->1106 1104 185b665 1102->1104 1102->1105 1107 185b5f7-185b5fc 1103->1107 1108 185b5fe-185b607 1103->1108 1104->1101 1110 185b677-185b67a 1105->1110 1111 185b689-185b6bd call 185ab68 1105->1111 1106->1105 1109 185b6c0-185b718 1106->1109 1107->1099 1108->1093 1113 185b609-185b612 1108->1113 1118 185b71f-185b79f 1109->1118 1110->1111 1112 185b67c-185b67e 1110->1112 1112->1111 1115 185b680-185b683 1112->1115 1113->1093 1116 185b614-185b619 1113->1116 1115->1111 1115->1118 1116->1099 1137 185b7a1-185b7a5 1118->1137 1138 185b7bf-185b815 1118->1138 1178 185b7a8 call 185b5a1 1137->1178 1179 185b7a8 call 185b500 1137->1179 1180 185b7a8 call 185b89d 1137->1180 1181 185b7a8 call 185b4ef 1137->1181 1182 185b7a8 call 185b869 1137->1182 1144 185b817-185b81e 1138->1144 1145 185b820-185b829 1138->1145 1139 185b7ab-185b7bc 1146 185b83b-185b844 1144->1146 1147 185b834 1145->1147 1148 185b82b-185b832 1145->1148 1149 185b8d8-185b8dc 1146->1149 1150 185b84a-185b867 1146->1150 1147->1146 1148->1146 1176 185b8df call 185b9f8 1149->1176 1177 185b8df call 185b9ea 1149->1177 1152 185b8e5-185b901 1150->1152 1155 185b903-185b906 1152->1155 1156 185b908-185b962 call 185ab78 1152->1156 1155->1156 1157 185b96a-185b973 1155->1157 1156->1157 1158 185b975-185b978 1157->1158 1159 185b97a-185b9b0 1157->1159 1158->1159 1161 185b9df-185b9e5 1158->1161 1159->1161 1171 185b9b2-185b9d7 call 185ab88 1159->1171 1171->1161 1176->1152 1177->1152 1178->1139 1179->1139 1180->1139 1181->1139 1182->1139
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8q$Hq$Hq$Hq$TJq
                                                                • API String ID: 0-768243005
                                                                • Opcode ID: bfcdaf887ec68b040b6714a82be6f72ba880a3cb97c4476918e3cc64a33a7a59
                                                                • Instruction ID: 954f75d1f657b5a0926aeaa8437b30f8f46b95ec7413b6cce16de57ea34a2fb0
                                                                • Opcode Fuzzy Hash: bfcdaf887ec68b040b6714a82be6f72ba880a3cb97c4476918e3cc64a33a7a59
                                                                • Instruction Fuzzy Hash: 68D1D231B042048FDB55DB6CC895AAD7BF7EF89320F18406AE905EB391CA34DD42CBA1
                                                                Function 05FF9462 Relevance: 6.1, APIs: 4, Instructions: 138threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1183 5ff9462-5ff950f GetCurrentProcess 1187 5ff9518-5ff954c GetCurrentThread 1183->1187 1188 5ff9511-5ff9517 1183->1188 1189 5ff954e-5ff9554 1187->1189 1190 5ff9555-5ff9589 GetCurrentProcess 1187->1190 1188->1187 1189->1190 1191 5ff958b-5ff9591 1190->1191 1192 5ff9592-5ff95ad call 5ff9a58 1190->1192 1191->1192 1196 5ff95b3-5ff95e2 GetCurrentThreadId 1192->1196 1197 5ff95eb-5ff964d 1196->1197 1198 5ff95e4-5ff95ea 1196->1198 1198->1197
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 05FF94FE
                                                                • GetCurrentThread.KERNEL32 ref: 05FF953B
                                                                • GetCurrentProcess.KERNEL32 ref: 05FF9578
                                                                • GetCurrentThreadId.KERNEL32 ref: 05FF95D1
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: 8fd12539a781c998b1ba57b79c48f30a1d5a102ef7db87453a6f6657e934579f
                                                                • Instruction ID: 63e786302b2e183548aab93e9a4c21273a3b16353b92edbc3e2cb30fbb3b5af7
                                                                • Opcode Fuzzy Hash: 8fd12539a781c998b1ba57b79c48f30a1d5a102ef7db87453a6f6657e934579f
                                                                • Instruction Fuzzy Hash: BC5145B0D013498FDB14CFA9D948BAEBBF1EF88314F24805AE109A73A0D7786945CB65
                                                                Function 05FF9480 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1205 5ff9480-5ff950f GetCurrentProcess 1209 5ff9518-5ff954c GetCurrentThread 1205->1209 1210 5ff9511-5ff9517 1205->1210 1211 5ff954e-5ff9554 1209->1211 1212 5ff9555-5ff9589 GetCurrentProcess 1209->1212 1210->1209 1211->1212 1213 5ff958b-5ff9591 1212->1213 1214 5ff9592-5ff95ad call 5ff9a58 1212->1214 1213->1214 1218 5ff95b3-5ff95e2 GetCurrentThreadId 1214->1218 1219 5ff95eb-5ff964d 1218->1219 1220 5ff95e4-5ff95ea 1218->1220 1220->1219
                                                                APIs
                                                                • GetCurrentProcess.KERNEL32 ref: 05FF94FE
                                                                • GetCurrentThread.KERNEL32 ref: 05FF953B
                                                                • GetCurrentProcess.KERNEL32 ref: 05FF9578
                                                                • GetCurrentThreadId.KERNEL32 ref: 05FF95D1
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: Current$ProcessThread
                                                                • String ID:
                                                                • API String ID: 2063062207-0
                                                                • Opcode ID: b9585a93288fa0451e1889e19c579459545f9913534b15a31f684ad96c716c7f
                                                                • Instruction ID: f5ce5b64cd541104710bdee37be21c8766519da138507d7f817e704769f5996a
                                                                • Opcode Fuzzy Hash: b9585a93288fa0451e1889e19c579459545f9913534b15a31f684ad96c716c7f
                                                                • Instruction Fuzzy Hash: C65123B49003098FDB14CFA9D948BAEBBF1FF88314F248459E509A7360DB78A944CB65
                                                                Function 0185AD3D Relevance: 5.5, Strings: 4, Instructions: 464COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1227 185ad3d-185afaf call 185a428 1233 185afb5-185afb7 1227->1233 1234 185b18b-185b196 1227->1234 1235 185b19d-185b1a8 1233->1235 1236 185afbd-185afc1 1233->1236 1234->1235 1242 185b1af-185b1ba 1235->1242 1236->1235 1237 185afc7-185afff call 185ab68 1236->1237 1237->1242 1251 185b005-185b009 1237->1251 1246 185b1c1-185b1cc 1242->1246 1250 185b1d3-185b1ff 1246->1250 1283 185b206-185b232 1250->1283 1252 185b015-185b019 1251->1252 1253 185b00b-185b00f 1251->1253 1255 185b024-185b028 1252->1255 1256 185b01b-185b022 1252->1256 1253->1246 1253->1252 1257 185b040-185b044 1255->1257 1258 185b02a-185b02e 1255->1258 1256->1257 1259 185b046-185b048 1257->1259 1260 185b04b-185b052 1257->1260 1262 185b030-185b037 1258->1262 1263 185b039 1258->1263 1259->1260 1264 185b054 1260->1264 1265 185b05b-185b05f 1260->1265 1262->1257 1263->1257 1268 185b097-185b09b 1264->1268 1269 185b110-185b113 1264->1269 1270 185b0dd-185b0e0 1264->1270 1271 185b0ae-185b0b1 1264->1271 1272 185b179-185b184 1264->1272 1266 185b065-185b069 1265->1266 1267 185b13e-185b141 1265->1267 1266->1272 1276 185b06f-185b072 1266->1276 1274 185b151-185b174 1267->1274 1275 185b143-185b146 1267->1275 1310 185b09e call 185b5a1 1268->1310 1311 185b09e call 185b500 1268->1311 1312 185b09e call 185b4ef 1268->1312 1277 185b115 1269->1277 1278 185b11a-185b139 1269->1278 1281 185b0e2-185b0e5 1270->1281 1282 185b0eb-185b10e 1270->1282 1279 185b0b3-185b0b6 1271->1279 1280 185b0bc-185b0db 1271->1280 1272->1234 1274->1268 1274->1272 1275->1274 1284 185b148-185b14b 1275->1284 1285 185b074 1276->1285 1286 185b079-185b095 1276->1286 1277->1278 1278->1268 1279->1250 1279->1280 1280->1268 1281->1282 1281->1283 1282->1268 1291 185b239-185b27a 1283->1291 1284->1274 1284->1291 1285->1286 1286->1268 1287 185b0a4-185b0ab 1310->1287 1311->1287 1312->1287
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $Hq$Hq$Hq
                                                                • API String ID: 0-1373062214
                                                                • Opcode ID: 25e390c0f1cc292196973598847e4c1f4f38f0a5ddb16b13c58aa4483c157983
                                                                • Instruction ID: f8642fe632716f7f5f03c6a484696a669e4b69997300e7235ab98db2f49d623c
                                                                • Opcode Fuzzy Hash: 25e390c0f1cc292196973598847e4c1f4f38f0a5ddb16b13c58aa4483c157983
                                                                • Instruction Fuzzy Hash: 3361E430B046049FEB656F78A45926E7BA3EFC5361F64452AE916C73D0CF358E02CB91
                                                                Function 018519B8 Relevance: 5.3, Strings: 4, Instructions: 318COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1313 18519b8-1851a13 1317 1851a35-1851a84 1313->1317 1318 1851a15-1851a34 1313->1318 1322 1851a86-1851a8d 1317->1322 1323 1851a9f 1317->1323 1324 1851a96-1851a9d 1322->1324 1325 1851a8f-1851a94 1322->1325 1327 1851aa7 1323->1327 1326 1851aaa-1851abe 1324->1326 1325->1326 1329 1851ad4-1851adc 1326->1329 1330 1851ac0-1851ac7 1326->1330 1327->1326 1333 1851ade-1851ae2 1329->1333 1331 1851acd-1851ad2 1330->1331 1332 1851ac9-1851acb 1330->1332 1331->1333 1332->1333 1335 1851ae4-1851af9 1333->1335 1336 1851b42-1851b45 1333->1336 1335->1336 1344 1851afb-1851afe 1335->1344 1337 1851b47-1851b5c 1336->1337 1338 1851b8d-1851b93 1336->1338 1337->1338 1348 1851b5e-1851b62 1337->1348 1339 185268e 1338->1339 1340 1851b99-1851b9b 1338->1340 1345 1852693-18526dc 1339->1345 1340->1339 1342 1851ba1-1851ba6 1340->1342 1346 185263c-1852640 1342->1346 1347 1851bac 1342->1347 1349 1851b00-1851b02 1344->1349 1350 1851b1d-1851b3b call 18502a8 1344->1350 1366 18526de-18526f9 1345->1366 1367 18526fa-18527b6 1345->1367 1352 1852647-185268d 1346->1352 1353 1852642-1852645 1346->1353 1347->1346 1354 1851b64-1851b68 1348->1354 1355 1851b6a-1851b88 call 18502a8 1348->1355 1349->1350 1356 1851b04-1851b07 1349->1356 1350->1336 1353->1345 1353->1352 1354->1338 1354->1355 1355->1338 1356->1336 1360 1851b09-1851b1b 1356->1360 1360->1336 1360->1350 1366->1367
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Xq$Xq$Xq$Xq
                                                                • API String ID: 0-3965792415
                                                                • Opcode ID: 768b38243a5c18139f560b7e621423ca3bd4b420d78b1074299ad4c44c96149a
                                                                • Instruction ID: 920fd3fe6aa664937060ba031af1be0906905e2eaf50678e779ac581f5d3388d
                                                                • Opcode Fuzzy Hash: 768b38243a5c18139f560b7e621423ca3bd4b420d78b1074299ad4c44c96149a
                                                                • Instruction Fuzzy Hash: 47C1AC3094132A8FCB569B78858939A77F3EF6A304F2044A9EC45DB258EB314A93DB51
                                                                Function 0185AF78 Relevance: 5.2, Strings: 4, Instructions: 224COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 1372 185af78-185afaf call 185a428 1377 185afb5-185afb7 1372->1377 1378 185b18b-185b196 1372->1378 1379 185b19d-185b1a8 1377->1379 1380 185afbd-185afc1 1377->1380 1378->1379 1386 185b1af-185b1ba 1379->1386 1380->1379 1381 185afc7-185afff call 185ab68 1380->1381 1381->1386 1395 185b005-185b009 1381->1395 1390 185b1c1-185b1cc 1386->1390 1394 185b1d3-185b1ff 1390->1394 1427 185b206-185b232 1394->1427 1396 185b015-185b019 1395->1396 1397 185b00b-185b00f 1395->1397 1399 185b024-185b028 1396->1399 1400 185b01b-185b022 1396->1400 1397->1390 1397->1396 1401 185b040-185b044 1399->1401 1402 185b02a-185b02e 1399->1402 1400->1401 1403 185b046-185b048 1401->1403 1404 185b04b-185b052 1401->1404 1406 185b030-185b037 1402->1406 1407 185b039 1402->1407 1403->1404 1408 185b054 1404->1408 1409 185b05b-185b05f 1404->1409 1406->1401 1407->1401 1412 185b097-185b09b 1408->1412 1413 185b110-185b113 1408->1413 1414 185b0dd-185b0e0 1408->1414 1415 185b0ae-185b0b1 1408->1415 1416 185b179-185b184 1408->1416 1410 185b065-185b069 1409->1410 1411 185b13e-185b141 1409->1411 1410->1416 1420 185b06f-185b072 1410->1420 1418 185b151-185b174 1411->1418 1419 185b143-185b146 1411->1419 1454 185b09e call 185b5a1 1412->1454 1455 185b09e call 185b500 1412->1455 1456 185b09e call 185b4ef 1412->1456 1421 185b115 1413->1421 1422 185b11a-185b139 1413->1422 1425 185b0e2-185b0e5 1414->1425 1426 185b0eb-185b10e 1414->1426 1423 185b0b3-185b0b6 1415->1423 1424 185b0bc-185b0db 1415->1424 1416->1378 1418->1412 1418->1416 1419->1418 1428 185b148-185b14b 1419->1428 1429 185b074 1420->1429 1430 185b079-185b095 1420->1430 1421->1422 1422->1412 1423->1394 1423->1424 1424->1412 1425->1426 1425->1427 1426->1412 1435 185b239-185b27a 1427->1435 1428->1418 1428->1435 1429->1430 1430->1412 1431 185b0a4-185b0ab 1454->1431 1455->1431 1456->1431
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: $Hq$Hq$Hq
                                                                • API String ID: 0-1373062214
                                                                • Opcode ID: 667f6851be5d574369d035749dff31dac04f0b2064291af7a6f706a9fdb8e7c7
                                                                • Instruction ID: ca3c8a893de87be184fbd001b40b30270fd635ae1a0a195c151dd13f3b92adc1
                                                                • Opcode Fuzzy Hash: 667f6851be5d574369d035749dff31dac04f0b2064291af7a6f706a9fdb8e7c7
                                                                • Instruction Fuzzy Hash: A37106307006049BEF656F78A45927E7AA3EFD5361F64422AEA26C73D0CF358E02C791
                                                                Function 01853F78 Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: PHq$PHq
                                                                • API String ID: 0-1274609152
                                                                • Opcode ID: f28063d484164f8499eae043cb807237a1c3ae561533ab394d79afe794bdd7d0
                                                                • Instruction ID: 85f83172ac6301f1ccd82f0ddc60427afe5443ca25eb684bd9dac6eb7a32867e
                                                                • Opcode Fuzzy Hash: f28063d484164f8499eae043cb807237a1c3ae561533ab394d79afe794bdd7d0
                                                                • Instruction Fuzzy Hash: CC51C674E00608DFDB44DFA9D994A9DBBF2FF89310F248469E815AB354EB34A941CF50
                                                                Function 0185B869 Relevance: 2.6, Strings: 2, Instructions: 101COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8q$TJq
                                                                • API String ID: 0-1436491226
                                                                • Opcode ID: fccfd87f9d9a44b79b47f44ed3da1175a4d7e2d26410534ec60a35347828be96
                                                                • Instruction ID: 3dca5c3498aab4ba06b6d737ecf73d875eff4f10fae552204f77a653ee03e521
                                                                • Opcode Fuzzy Hash: fccfd87f9d9a44b79b47f44ed3da1175a4d7e2d26410534ec60a35347828be96
                                                                • Instruction Fuzzy Hash: E7311535B002098FDB55DBA8C481E9DBBB2EF88320F195184E905EF361DA70ED468BA1
                                                                Function 0185B89D Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: 8q$TJq
                                                                • API String ID: 0-1436491226
                                                                • Opcode ID: 10993b9acbd5d90a933f16bcf71320a49901994784e96f7dfde43eaa578f77b0
                                                                • Instruction ID: ba7f9f4760d52bdf4669eae5287eb5a483d9fc83e0a3183d151221458b55cd79
                                                                • Opcode Fuzzy Hash: 10993b9acbd5d90a933f16bcf71320a49901994784e96f7dfde43eaa578f77b0
                                                                • Instruction Fuzzy Hash: B8312635B002098FDB55DFA8C481EDDBBB2EF88320F194154E505EF361DA71ED468BA1
                                                                Function 05FF9AD0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05FF9B57
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: aebbc8164cc7f363b7bb9d1efb31b5c2a3c3017ca62ed7cc8ba752ea755a6676
                                                                • Instruction ID: 5627d396abbf3f9ef6efd49f5846fdf35fca122e07967b9f357c914e7b9b2515
                                                                • Opcode Fuzzy Hash: aebbc8164cc7f363b7bb9d1efb31b5c2a3c3017ca62ed7cc8ba752ea755a6676
                                                                • Instruction Fuzzy Hash: 7E21C2B5D002499FDB10CFAAD984ADEBBF8FB48310F14841AE918A7350D379A954CFA5
                                                                Function 05FF9AC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05FF9B57
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: DuplicateHandle
                                                                • String ID:
                                                                • API String ID: 3793708945-0
                                                                • Opcode ID: 280911d9c9a8e0afec6f8af628403df650e71f5fe4b4cdf32eb36d4453d43aff
                                                                • Instruction ID: 371c933ce04551c112b2fd83819eb791da8f149e95b7944bc11a9196071516b8
                                                                • Opcode Fuzzy Hash: 280911d9c9a8e0afec6f8af628403df650e71f5fe4b4cdf32eb36d4453d43aff
                                                                • Instruction Fuzzy Hash: 6321D2B5D002099FDB10CFAAD984ADEBBF8FF48214F14841AE918A7650D378A954CF65
                                                                Function 05A210BC Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • LdrInitializeThunk.NTDLL(00000000), ref: 05A211FE
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID: InitializeThunk
                                                                • String ID:
                                                                • API String ID: 2994545307-0
                                                                • Opcode ID: 8bf8e94cdf4aeeaa00bcaed1ee06a39165a07c38bb07039f66ae3caee4ba1ca7
                                                                • Instruction ID: 157eb14ca645b70c85078a811389e147bee6fd0a660764df21e31e59528f6df1
                                                                • Opcode Fuzzy Hash: 8bf8e94cdf4aeeaa00bcaed1ee06a39165a07c38bb07039f66ae3caee4ba1ca7
                                                                • Instruction Fuzzy Hash: BA116D74E042299FDB04DBADD585EADB7F6FB88304F148168E804AB242D7309941CB60
                                                                Function 01850B29 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LRq
                                                                • API String ID: 0-3187445251
                                                                • Opcode ID: 2b497ad8698826863d49f252bdc0f772ad8861a499f09872678844119aca3904
                                                                • Instruction ID: 39a7f924cb2b5f7fc248bafba1db2a533964ab53c42735dfc7525be3895f2e17
                                                                • Opcode Fuzzy Hash: 2b497ad8698826863d49f252bdc0f772ad8861a499f09872678844119aca3904
                                                                • Instruction Fuzzy Hash: 9EA1E874E00309DFCB54DFA8E984AAEBBB5FB48300F109169E805AB354DB34AD06CF91
                                                                Function 01850B30 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: LRq
                                                                • API String ID: 0-3187445251
                                                                • Opcode ID: 49c97e3386ef4259e229631cdb05d08d9878dc0457cf753c6cf99970b96e9ad4
                                                                • Instruction ID: 2abf80966302b4da546bea96b2843e67367e19b5cadeef064ddd2dd7c59c8ecd
                                                                • Opcode Fuzzy Hash: 49c97e3386ef4259e229631cdb05d08d9878dc0457cf753c6cf99970b96e9ad4
                                                                • Instruction Fuzzy Hash: 15A1EA74E00309DFCB54DFA8E984AAEBBB5FB48310F109169E815AB355DB34AD06CF91
                                                                Function 0185BDE8 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Hq
                                                                • API String ID: 0-1594803414
                                                                • Opcode ID: 05d2223aefe503002f71be4d10c68e8bb7a9e2f35d0dfbb34d3998480b303830
                                                                • Instruction ID: 136d086cc968a10f5fa74e11e9dfe62ea079d55d6a92fe19d4d5683e7846722f
                                                                • Opcode Fuzzy Hash: 05d2223aefe503002f71be4d10c68e8bb7a9e2f35d0dfbb34d3998480b303830
                                                                • Instruction Fuzzy Hash: 352191347042059FD754DF68C995B6EBBB6FF98310F248069DA05CB365CE309E06CB90
                                                                Function 0185BD01 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Hq
                                                                • API String ID: 0-1594803414
                                                                • Opcode ID: cd1cda4e9b0953871f450125513b9baac25d84acdbbc79e701af7f038206c6f0
                                                                • Instruction ID: 1589b2b63e68e349688c49e0f1aa4dd3e80cdb29691c71b100270b4987f732ce
                                                                • Opcode Fuzzy Hash: cd1cda4e9b0953871f450125513b9baac25d84acdbbc79e701af7f038206c6f0
                                                                • Instruction Fuzzy Hash: FA218171B002099FDB44EFB8D955AAEBBB6EF88340F544469E105DB255DA309E02CB90
                                                                Function 0185BF80 Relevance: .2, Instructions: 225COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4278ca6e52421d677d4781dd2e1596fe507c99794ea690d796bac1aa1e4d7e06
                                                                • Instruction ID: d70a8c9cc45822c4b7f99cd098f504e33d17458b80f7c2dc3e5365c51f72e92d
                                                                • Opcode Fuzzy Hash: 4278ca6e52421d677d4781dd2e1596fe507c99794ea690d796bac1aa1e4d7e06
                                                                • Instruction Fuzzy Hash: 9261F672B007059FCB64DB7DD884AAABBF9EBC9324B14853AE919D7340D731D9018BA0
                                                                Function 01853168 Relevance: .1, Instructions: 109COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 442b036b800ef7b85c5589b884c37cba053a3b1900f89474de34e9f7ab325317
                                                                • Instruction ID: c380d60e358fe2ff004784fc470efd9300c6edc28bdcd31434d1b47010a9b7a3
                                                                • Opcode Fuzzy Hash: 442b036b800ef7b85c5589b884c37cba053a3b1900f89474de34e9f7ab325317
                                                                • Instruction Fuzzy Hash: 47419274E012089FDB48DFAAD884A9DBBF2FF89300F149129E805B7364DB349945CF55
                                                                Function 01859249 Relevance: .1, Instructions: 107COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 211f0d1dd875850ba5f61fc397dd84670f03b9932df253f5bf3a47afa48bd179
                                                                • Instruction ID: b93cc3ef68b2d20e83db2c42509f7cdf2bc95eb7d87c44cbeb4ef4308e47fae9
                                                                • Opcode Fuzzy Hash: 211f0d1dd875850ba5f61fc397dd84670f03b9932df253f5bf3a47afa48bd179
                                                                • Instruction Fuzzy Hash: 8A31C17907A60B8FD2642B21A5AE27A7FE6FB0F31BB086C10F60E81915CF385448DB50
                                                                Function 018518C8 Relevance: .1, Instructions: 77COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 200dcb09b17ca43a6eaae90c618077b09bb5ee85192602f98d2d4686fb6783e3
                                                                • Instruction ID: 10ae0790541d4873805f8bca3758a4e764529d4f70fd545d54a986b9b0f7fe4f
                                                                • Opcode Fuzzy Hash: 200dcb09b17ca43a6eaae90c618077b09bb5ee85192602f98d2d4686fb6783e3
                                                                • Instruction Fuzzy Hash: 91218E35A002199FCB54DF28C844ABE7BB5EF89350BA08159DD19DB384DB35EE06CBD1
                                                                Function 0185BC28 Relevance: .1, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eec8370af4a9bc5172610b11b6b816c7a9ac7573667ee52b769892d0a2ab1469
                                                                • Instruction ID: 57d9f8c8e151761a6cc9d75332db45acd4b8253ac7320deb0b8792aa5862f00c
                                                                • Opcode Fuzzy Hash: eec8370af4a9bc5172610b11b6b816c7a9ac7573667ee52b769892d0a2ab1469
                                                                • Instruction Fuzzy Hash: B02105357053414BDB669BB8A85A26D3FB7DFD6341B0804FADA49CB392CC358D018791
                                                                Function 0180D030 Relevance: .1, Instructions: 72COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2517746898.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_180d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3be91e51e8307aff467976233bde1be65fff35c010e7a2a5adf26555c29e5dfd
                                                                • Instruction ID: 4c09026a98df8a228fa6f2ee09c2dc6882680b0bf5177997b95f57bba99f10e8
                                                                • Opcode Fuzzy Hash: 3be91e51e8307aff467976233bde1be65fff35c010e7a2a5adf26555c29e5dfd
                                                                • Instruction Fuzzy Hash: 7F210371504308DFDB56DF94D9C0B16BBA1FB84318F20C66DE80D8B292C336D547CA62
                                                                Function 01850EC8 Relevance: .1, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9f5ac978580248a724019cb960c27037f45ee6cd99b8ac39e3722db47e290d0e
                                                                • Instruction ID: 85b182988eddd409fc6253d88daa0fa5eee3f8c74974ba19b35ba73366607ae7
                                                                • Opcode Fuzzy Hash: 9f5ac978580248a724019cb960c27037f45ee6cd99b8ac39e3722db47e290d0e
                                                                • Instruction Fuzzy Hash: CF215C70E04209DFE745EFB8C8446AEBBB2FF89304F1084A9D9149B394DB795A06CF51
                                                                Function 018517B8 Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 53d04a08e287bb0cb5debc0b9934191367b5c379edfbc8ae8721b3782e0c1c16
                                                                • Instruction ID: 1f90473f83d0e5cff962e009c2b64c135e7db7fe4e099b2078c0cad86c3bd247
                                                                • Opcode Fuzzy Hash: 53d04a08e287bb0cb5debc0b9934191367b5c379edfbc8ae8721b3782e0c1c16
                                                                • Instruction Fuzzy Hash: 5521E370D1520A8FCB51DFA8D8486EEBFF0EF4A314F0451AAD805F7225E7309A85CBA1
                                                                Function 0185BB48 Relevance: .1, Instructions: 60COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d9b9d1dd004b46047b41d53a002f082f7f96535fc08f84e6afbdb73dac884e59
                                                                • Instruction ID: adf6eea834fa12287610ba2ffc4e83f62106159de6a3461e31e5ec5f277883ff
                                                                • Opcode Fuzzy Hash: d9b9d1dd004b46047b41d53a002f082f7f96535fc08f84e6afbdb73dac884e59
                                                                • Instruction Fuzzy Hash: B4118C35700204CFD764DB6AD984E66B7E6FF98721B20806AE64ACF365CAB1ED01CB51
                                                                Function 01854850 Relevance: .1, Instructions: 54COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 54a4061042a8796a78e0c5111398648b06a264998b1b0dfebcf35f53c06e45a7
                                                                • Instruction ID: c462f4311622364052074070915dcd5404a3cc0bea8610ffef49c9f32c8eaa1d
                                                                • Opcode Fuzzy Hash: 54a4061042a8796a78e0c5111398648b06a264998b1b0dfebcf35f53c06e45a7
                                                                • Instruction Fuzzy Hash: D001BC32B003044FDB28ABB9885866F7BEBEF883607154479DD05CB359FE74CA408B91
                                                                Function 0180D02B Relevance: .1, Instructions: 53COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2517746898.000000000180D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0180D000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_180d000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                • Instruction ID: 2272786be9fcfd23dbfd9aae7b2d9932c11689c82c1ebb81c81299b25eb74c51
                                                                • Opcode Fuzzy Hash: e020fc52024e7c20771691695641137c464337d5c785334117d46b726f4046fe
                                                                • Instruction Fuzzy Hash: 3611BB75504284CFCB12CF94D9C4B15FFA1FB84314F28C6AAD8498B6A7C33AD44ACB62
                                                                Function 01854860 Relevance: .0, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6f4df7ed4ae268d54b468810e2aea13592c4065b9f4711e7055cc7a7483c90b3
                                                                • Instruction ID: 7f3589a2a7038233971ce88fbbe31c3ff9bd48aeb70d50e9f9ff693f25984b44
                                                                • Opcode Fuzzy Hash: 6f4df7ed4ae268d54b468810e2aea13592c4065b9f4711e7055cc7a7483c90b3
                                                                • Instruction Fuzzy Hash: 62014B32B003144BDB28AABE985866F7AEBAF887643144439DE05CB359FE71C9458B91
                                                                Function 0185BB37 Relevance: .0, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6ae78312c9f598279212ceb86844ca64b89dae7d368af75b730583fe6db2a82c
                                                                • Instruction ID: d7ab2b23714b00659d97de16e712f7a11d3f6fff5a543b77342331e765dee5a8
                                                                • Opcode Fuzzy Hash: 6ae78312c9f598279212ceb86844ca64b89dae7d368af75b730583fe6db2a82c
                                                                • Instruction Fuzzy Hash: 03018B317002008FD764CB69C998B66B7E2EF98721F15806AD949CB729CAB0D901CB11
                                                                Function 0185A508 Relevance: .0, Instructions: 46COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 718901e2ecf26aac6016512d75283a96187cbcd3330c78a1bdfa3e1580559efa
                                                                • Instruction ID: f4958b89f0801ee7c95af4f88ecd0f102f3e56a9ca4f82aa0fd787d8b8698413
                                                                • Opcode Fuzzy Hash: 718901e2ecf26aac6016512d75283a96187cbcd3330c78a1bdfa3e1580559efa
                                                                • Instruction Fuzzy Hash: 28014075A102099BDB54DFA9E855AAE7FB5EB88310B50452AFE15D3240DF308D10CBE1
                                                                Function 0185A4F9 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 694d9b7b25efbf133377bb380fcf522388d6111ed59c1e98d41a1fe453bda5dd
                                                                • Instruction ID: cee0336997bb94838b83439235972c57479c1bc21d131901132c2e5f0f64d3ee
                                                                • Opcode Fuzzy Hash: 694d9b7b25efbf133377bb380fcf522388d6111ed59c1e98d41a1fe453bda5dd
                                                                • Instruction Fuzzy Hash: 81017171A0411A9FCF55DFA8D8949EEBFB5EF88310B40413AFD15D3240DB308A11CB91
                                                                Function 0185BEF8 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 683ff921d625d9583405102c24a422201b82e0183c47d4020d8a60018ced5df8
                                                                • Instruction ID: 575779bd83c1693679cc50ee596ef5864fb9bf119666e98b88bd23d6569ded2a
                                                                • Opcode Fuzzy Hash: 683ff921d625d9583405102c24a422201b82e0183c47d4020d8a60018ced5df8
                                                                • Instruction Fuzzy Hash: 8EF0C8327083145BCB151A78A84A56D3F9AEBC9711B18402AFA06C7381DE35CD0697D4
                                                                Function 0185BD78 Relevance: .0, Instructions: 38COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ce0c3149a33680543e78213c28ef0c3e97fa5a76eda1cfb1e9f91c389919c4da
                                                                • Instruction ID: 8b7c9f7e6692ddc748f7275a9faf16ff2d53922f4fe8493321819a1587f99801
                                                                • Opcode Fuzzy Hash: ce0c3149a33680543e78213c28ef0c3e97fa5a76eda1cfb1e9f91c389919c4da
                                                                • Instruction Fuzzy Hash: 0AF04F72A00108AFCB40EFA9D8449BFBFF9EF48210B404065F919D7211DA309D118BA1
                                                                Function 0185C1B0 Relevance: .0, Instructions: 36COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 14382227c3b308b4bc69efe9d3efcff2026aa66af741f4a90b5d615728f5f54d
                                                                • Instruction ID: ece66bbbcd2eceb3a42ab3f720ead71d79fc80f41a1531790d91248414b7fc50
                                                                • Opcode Fuzzy Hash: 14382227c3b308b4bc69efe9d3efcff2026aa66af741f4a90b5d615728f5f54d
                                                                • Instruction Fuzzy Hash: 57F02032B006119BCB29566EE41096EBBAEDFC4330700007AE908DB350CF32CD028BA0
                                                                Function 0185B9EA Relevance: .0, Instructions: 33COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cdbc21f81069148ebe938b9d0568b8a88a030344d5608f2104f7fd10ef652dda
                                                                • Instruction ID: bf459b0040f4afd55991cbd2adf4f3b7331eb0011e726888b1d2504c75229b39
                                                                • Opcode Fuzzy Hash: cdbc21f81069148ebe938b9d0568b8a88a030344d5608f2104f7fd10ef652dda
                                                                • Instruction Fuzzy Hash: 81F0B475E00208AFCF50DFA9D881ADEB7F6FF58250B04413AD909E3601D73496068BE2
                                                                Function 018546C9 Relevance: .0, Instructions: 32COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4d7f415ae33b75b30f9299347ad6a13c12a767ba255efde15957548c3d7377cd
                                                                • Instruction ID: 554f3301bc1b63aa9a1c82fe233ea48bbddb07b1f8cebfc6ab2358e05ca3379b
                                                                • Opcode Fuzzy Hash: 4d7f415ae33b75b30f9299347ad6a13c12a767ba255efde15957548c3d7377cd
                                                                • Instruction Fuzzy Hash: 02F0743111574A8FE7A26F24ECBC63A7FA1EF0B303B046C45E05AC6069DB714654CF21
                                                                Function 0185B9F8 Relevance: .0, Instructions: 31COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a844f930aeae927519ca1ebfec8148f9ff536bac5c02fd0b4916b3adb8a85c6b
                                                                • Instruction ID: 4428b984037cc99c40fce9bcb947ad0d5ec389af3969fa02e1507de506fa6781
                                                                • Opcode Fuzzy Hash: a844f930aeae927519ca1ebfec8148f9ff536bac5c02fd0b4916b3adb8a85c6b
                                                                • Instruction Fuzzy Hash: 62F08271E00208AF8B60DFA998409DFBBF6FB98290B00412AD909D3201E6709A158BE2
                                                                Function 018546D8 Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 347844a6b8c82f8566b688d878700381b202a364b8b66051fcebe98a3243e385
                                                                • Instruction ID: a9f2473c8e130c63164d8c7f4e9ace487666205c844ed6e00c57fe336ea20e89
                                                                • Opcode Fuzzy Hash: 347844a6b8c82f8566b688d878700381b202a364b8b66051fcebe98a3243e385
                                                                • Instruction Fuzzy Hash: 64E0097506130ACFE7B22F64B9AC23A7BA5EB0B313B406D10B51EC10699F7246548F74
                                                                Function 01851877 Relevance: .0, Instructions: 25COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 182909b6def761177a5abbf613e66617c50a27f33d1c97bd0e97f6e6dc5cb108
                                                                • Instruction ID: df65ae5f93d5e1359c590fe78e844929f445c86f2e7aff6fb244d23106d58774
                                                                • Opcode Fuzzy Hash: 182909b6def761177a5abbf613e66617c50a27f33d1c97bd0e97f6e6dc5cb108
                                                                • Instruction Fuzzy Hash: B8E09A319113A68EC7129FB498040EEBF70EE93310B5142A7D010AB190EB70595ACBA0
                                                                Function 01851888 Relevance: .0, Instructions: 19COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c7bab32ad80c2690ca34db6ba75db52600482004346fc707d5c9aca54183a4ea
                                                                • Instruction ID: 01bee33d49dbe891f419d92e91c8902dac4829102c03bb42200e91b9da9e6017
                                                                • Opcode Fuzzy Hash: c7bab32ad80c2690ca34db6ba75db52600482004346fc707d5c9aca54183a4ea
                                                                • Instruction Fuzzy Hash: 46D05B31D2033A57CB10E7A5DC044DFFB38EED5321B514666D51437144FB706659C6E1
                                                                Function 01854831 Relevance: .0, Instructions: 8COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 99f6ff3b4d3d733461fd8142579e06d4f11fa64ed92ab0546e70b2ec221265db
                                                                • Instruction ID: 13247cb7f56a9fe3c536a6b9c72b3d1e03889c797248ed8cc32e3095d2d0b426
                                                                • Opcode Fuzzy Hash: 99f6ff3b4d3d733461fd8142579e06d4f11fa64ed92ab0546e70b2ec221265db
                                                                • Instruction Fuzzy Hash: 97C04C7140A3D04FCF1BCB748426C577BF1AE0320472508DFC442CB196D9259505CB41

                                                                Non-executed Functions

                                                                Function 05FF51E8 Relevance: .6, Instructions: 596COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 42c145ab9f37377e934151d2ea0278543e18b4e901f4b07bab89a1daf4e0e875
                                                                • Instruction ID: 15c858f2ad3b374f186f8e557b9dfc47939dc1121308174eb00bb98dd7abac30
                                                                • Opcode Fuzzy Hash: 42c145ab9f37377e934151d2ea0278543e18b4e901f4b07bab89a1daf4e0e875
                                                                • Instruction Fuzzy Hash: DD528C74E01229CFDB64DF65C884B9EBBB2BF89300F1085E9D509AB264DB359E81CF50
                                                                Function 05FF15F8 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a1b660ebff1cd87bfb55cb2447e7167127889999cd87b7a8f6aaefebe93243d6
                                                                • Instruction ID: 69d99078e1d22866bbcf9906901d2da20feb55b7468f0b714230ac1a22cc4492
                                                                • Opcode Fuzzy Hash: a1b660ebff1cd87bfb55cb2447e7167127889999cd87b7a8f6aaefebe93243d6
                                                                • Instruction Fuzzy Hash: 0FC18074E01218CFDB54DFA9C994BADBBB2BF89300F1081A9D409AB365DB359E85CF50
                                                                Function 05FF3598 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: efe559cd8cf905a5b0dfbf3bde15f8fa4590f15c8629abbc9ef2148c6b3afae9
                                                                • Instruction ID: 3f7783072f8d2f391030d9d2d7a80f4d680308106f90d9f3199c04a701bdd6d4
                                                                • Opcode Fuzzy Hash: efe559cd8cf905a5b0dfbf3bde15f8fa4590f15c8629abbc9ef2148c6b3afae9
                                                                • Instruction Fuzzy Hash: 45C18174E01218CFDB54DFA9C954BADBBB2BF89300F1080A9D409AB365DB399E85CF51
                                                                Function 05FF0498 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b35b35b6c48fa7eb4d4d34ad96c5226eea846399e68769ac0188355146166d13
                                                                • Instruction ID: 51cd2469182a99a57f38cab06ab7312d89e14fcc4a500449e43f698d7aca9b1c
                                                                • Opcode Fuzzy Hash: b35b35b6c48fa7eb4d4d34ad96c5226eea846399e68769ac0188355146166d13
                                                                • Instruction Fuzzy Hash: 6DC18174E01218CFDB54DFA9D994BADBBB2BF89300F1080A9D409AB365DB359E85CF50
                                                                Function 05FF2438 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1619160803e29e9bf0a253ff59d5a25c295b7a66b764991a11e7665a62441edc
                                                                • Instruction ID: f7e0f834756fd3841c15bdd01fabe372b7110d1a75e265947a016c63c8626782
                                                                • Opcode Fuzzy Hash: 1619160803e29e9bf0a253ff59d5a25c295b7a66b764991a11e7665a62441edc
                                                                • Instruction Fuzzy Hash: 19C19074E01218CFDB54DFA9D994BADBBB2BF89300F1080A9D409AB365DB359E81CF50
                                                                Function 05FF46F8 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5bf533b486dfd6664fc4a087c0123956ace63ec421a19cda13f654f2c064fd31
                                                                • Instruction ID: 65441a4202e336891109fa9e4ad74ac364704846abc6ae9322dc42dc2d966dd6
                                                                • Opcode Fuzzy Hash: 5bf533b486dfd6664fc4a087c0123956ace63ec421a19cda13f654f2c064fd31
                                                                • Instruction Fuzzy Hash: 93C19174E01218CFDB54DFA9C994BAEBBB2BF89300F1080A9D509AB365DB355E81CF50
                                                                Function 05FF11A0 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: a76f14ccb5f120990e803ed609a2fd361b4d4c1c2186a3ea18e0590c519c20a0
                                                                • Instruction ID: d925b34a7514d966453c02abd57047ec748c0037b823f8b28a900c9e97644232
                                                                • Opcode Fuzzy Hash: a76f14ccb5f120990e803ed609a2fd361b4d4c1c2186a3ea18e0590c519c20a0
                                                                • Instruction Fuzzy Hash: A4C18174E00218CFDB54DFA9C994BADBBB2BF89300F1081A9D409AB365DB359E85CF51
                                                                Function 05FF3140 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d26e1924c416f96e4e38804cf08d43b8896f618c70fb2d52c039d3f80911e7a2
                                                                • Instruction ID: 6912a156473288fdbd5fdac5c7889ef540ba2cac0b9f33cc703badb05a9a6370
                                                                • Opcode Fuzzy Hash: d26e1924c416f96e4e38804cf08d43b8896f618c70fb2d52c039d3f80911e7a2
                                                                • Instruction Fuzzy Hash: 1BC18074E01218CFDB54DFA9C994BADBBB2BF89300F1080A9D409AB365DB359E85CF50
                                                                Function 05FF0040 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c79a19b6c1d0f7e1c7e50418d120ea9ec15d71bb0911d4ef386cea8bf529ff5f
                                                                • Instruction ID: 91168bdef1d97ada50c03ce8afbb5132554309213acc46abdc50b719815813a5
                                                                • Opcode Fuzzy Hash: c79a19b6c1d0f7e1c7e50418d120ea9ec15d71bb0911d4ef386cea8bf529ff5f
                                                                • Instruction Fuzzy Hash: D5C19174E01218CFDB54DFA9C954BADBBB2BF89300F1081A9D409AB365DB356E85CF50
                                                                Function 05FF42A0 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 747994a32f482688d0995249efa239cd0c4022278a5d0f9d27d14738e8e3938d
                                                                • Instruction ID: b5de6d9f7fd4f6f440decab9367dc60d58452c12742e7f8cdf712124135edd42
                                                                • Opcode Fuzzy Hash: 747994a32f482688d0995249efa239cd0c4022278a5d0f9d27d14738e8e3938d
                                                                • Instruction Fuzzy Hash: ADC18174E00218CFDB54DFA9C954BADBBB2BF89300F1081A9D809AB365DB355E85CF51
                                                                Function 05FF0D48 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 30b295a7d874bf9e033bd1f3aa09e873c1141b06a583d9296153443c17016de0
                                                                • Instruction ID: 27e6d08bdd7918455a15fb27ec0dc6f9c0a379da8560f2058da4511e54589df4
                                                                • Opcode Fuzzy Hash: 30b295a7d874bf9e033bd1f3aa09e873c1141b06a583d9296153443c17016de0
                                                                • Instruction Fuzzy Hash: E2C19074E00218CFDB54DFA9C994BADBBB2BF89300F1081A9D409AB365DB349E85CF50
                                                                Function 05FF2CE8 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 6b6cf21709ef811b1930691a86024afb9d43d41fedbbcb8a9453af9825280d60
                                                                • Instruction ID: 9c337456f190a050debff6d7df9e1e2232c5fe4593f3975451283ddc6d63c843
                                                                • Opcode Fuzzy Hash: 6b6cf21709ef811b1930691a86024afb9d43d41fedbbcb8a9453af9825280d60
                                                                • Instruction Fuzzy Hash: 6EC18074E01218CFDB54DFA9C994BADBBB2BF89300F1080A9D409AB365DB359E85CF51
                                                                Function 05FF1EA8 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cc4b917ecc3bf1e594c663b5d6224267571e2336e7f050e52083aa10905d9248
                                                                • Instruction ID: d131c19c3a7da69eb67266b7a1e0682129552ff010f3eace079969c27ec2c12c
                                                                • Opcode Fuzzy Hash: cc4b917ecc3bf1e594c663b5d6224267571e2336e7f050e52083aa10905d9248
                                                                • Instruction Fuzzy Hash: 7DC18074E00218CFDB54DFA9D994BADBBB2BF89300F1080A9D409AB365DB356E85CF51
                                                                Function 05FF3E48 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 46b35d334ea4e6d51b57e9b9de7c2c9e205eba157908c0fd75d3e040da8d8d68
                                                                • Instruction ID: de3c7b3a1ffaf54361325ceeea6bf6ead7aaac9a8858311194625474d2c414fb
                                                                • Opcode Fuzzy Hash: 46b35d334ea4e6d51b57e9b9de7c2c9e205eba157908c0fd75d3e040da8d8d68
                                                                • Instruction Fuzzy Hash: 31C19074E01218CFDB54DFA9D994BADBBB2BF89300F1080A9D409AB365DB359E85CF50
                                                                Function 05FF39F0 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 243f34e100c3abbfda1ae3bf20a748d1925cfde31110b3a57c492a88e4926db4
                                                                • Instruction ID: 1eae38d60f259c7db1d137b8112d7340bd71e95a0051137c1220db3bc521add1
                                                                • Opcode Fuzzy Hash: 243f34e100c3abbfda1ae3bf20a748d1925cfde31110b3a57c492a88e4926db4
                                                                • Instruction Fuzzy Hash: 1BC18074E01218CFDB54DFA9C954BADBBB2BF89300F2080A9D409AB365DB359E85CF51
                                                                Function 05FF08F0 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3a0008020e41ef72ce6587b387a0e313b706a651ac1a0fdc6c1955fc85e095cd
                                                                • Instruction ID: 148c90ab08138cb9adf7309468084e888704e24c3e8bea31f220111b9abaf8db
                                                                • Opcode Fuzzy Hash: 3a0008020e41ef72ce6587b387a0e313b706a651ac1a0fdc6c1955fc85e095cd
                                                                • Instruction Fuzzy Hash: 72C19174E01218CFDB54DFA9C954BADBBB2BF89300F1080A9D809AB355DB355E85CF51
                                                                Function 05FF2890 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 87e03b8ddb82e0d664b9b16a05482f0a10c86d19f8d41d74097f5293691b1ae4
                                                                • Instruction ID: b434e77783c26572f5e995f6af1334c8f95527a9d3fd2ad8a60fefb68c9782c3
                                                                • Opcode Fuzzy Hash: 87e03b8ddb82e0d664b9b16a05482f0a10c86d19f8d41d74097f5293691b1ae4
                                                                • Instruction Fuzzy Hash: AAC18074E01218CFDB54DFA9C994BADBBB2AF89300F1080A9D409AB365DB355E85CF51
                                                                Function 05FF4B50 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eac44f290f04f7aa947926f27210920ca1fb94f1f2322a2efb445fefbe579056
                                                                • Instruction ID: bd02c7b3e312a9fbc312d8aac179f8a3eea8a8a709a9c7f2fcc0396eee5968cb
                                                                • Opcode Fuzzy Hash: eac44f290f04f7aa947926f27210920ca1fb94f1f2322a2efb445fefbe579056
                                                                • Instruction Fuzzy Hash: AEC18174E01218CFDB54DFA9C994BADBBB2BF89300F1080A9D409AB365DB359E85CF51
                                                                Function 05FF1A50 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ace96521d8bce6bc6b49ab0dd1c60a5c1bb22ef11cceae6aa0fefcc2bd608748
                                                                • Instruction ID: 43973e5d4775da16b4023352dcc63ca92e9548982bf3a9d6a77a86198d4a9b0b
                                                                • Opcode Fuzzy Hash: ace96521d8bce6bc6b49ab0dd1c60a5c1bb22ef11cceae6aa0fefcc2bd608748
                                                                • Instruction Fuzzy Hash: 3DC17174E01218CFDB54DFA9C954BADBBB2BF89300F1080A9D409AB365DB356E85CF51
                                                                Function 05A28588 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4f44ed6522f6d977d6e52921c8b19b174626ce55d9bc13a5ea339f1d051afa4b
                                                                • Instruction ID: e614dc3ddccc9d9f14e715fe9222835713d5bc13c8393fbccea66bb0bce12612
                                                                • Opcode Fuzzy Hash: 4f44ed6522f6d977d6e52921c8b19b174626ce55d9bc13a5ea339f1d051afa4b
                                                                • Instruction Fuzzy Hash: F1C18074E00218CFDB54DFA9C955BADBBB2BF89300F2080A9D409AB355DB399E85CF51
                                                                Function 05A24DD0 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 9d2371018263af4ac353fac2e25a56cbbcca15c651590b18bc2e1fb877257dcd
                                                                • Instruction ID: 34bb40d6b1dcb45c77cd232f5896fff452cf384f70f1213727ed5b9bf4c3a4f1
                                                                • Opcode Fuzzy Hash: 9d2371018263af4ac353fac2e25a56cbbcca15c651590b18bc2e1fb877257dcd
                                                                • Instruction Fuzzy Hash: C7C18074E00218CFDB14DFA9C955BADBBB2BF89300F2080A9D809AB355DB359E85CF51
                                                                Function 05A24520 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: cd8df4e09e6bff5f0308f958b07dbc89b67b3dc5e1daafd57dbfeb8e6239f95e
                                                                • Instruction ID: e2d750b0a27e817d01a95560cccab8a1e23c5d9b09510bdaff9df4f071f700d4
                                                                • Opcode Fuzzy Hash: cd8df4e09e6bff5f0308f958b07dbc89b67b3dc5e1daafd57dbfeb8e6239f95e
                                                                • Instruction Fuzzy Hash: 11C18F74E00218CFDB14DFA9C955BADBBB2BF89300F2080A9D809AB355DB359E85CF51
                                                                Function 05A28130 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 0e519e572a94173a8ac2efa71ffc183f8adbb8b7be8b574afacd65d2b3244507
                                                                • Instruction ID: 3c10350bcfbc7a0a6efdf5919ea4631a35834fb4510ba100645fd3f2cf72f9fe
                                                                • Opcode Fuzzy Hash: 0e519e572a94173a8ac2efa71ffc183f8adbb8b7be8b574afacd65d2b3244507
                                                                • Instruction Fuzzy Hash: FDC18174E00218CFDB54DFA9C955BADBBB2BF89300F1080A9D409AB355DB35AE85CF51
                                                                Function 05A24978 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 1da39816961b15dcd06f757c26547f3b9c4611ef755d4541ec687ccf202ee30b
                                                                • Instruction ID: 9dbe0336e95a4c8340ec427242c5a560880321ab881d5c38d1e8ddf2b6d3d8a6
                                                                • Opcode Fuzzy Hash: 1da39816961b15dcd06f757c26547f3b9c4611ef755d4541ec687ccf202ee30b
                                                                • Instruction Fuzzy Hash: A1C19174E00218CFDB14DFA9D954BADBBB2BF89300F1080A9D809AB355DB359E85CF51
                                                                Function 05A2F8B0 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: eaceff62cdda071fa7b3690a6b8d13617b56efd11cc2a92b0b861cbd7076d8dd
                                                                • Instruction ID: 7e6977d0aa144747546deae1e572a87181eda0bbc884e6d6019e0f32ea788c63
                                                                • Opcode Fuzzy Hash: eaceff62cdda071fa7b3690a6b8d13617b56efd11cc2a92b0b861cbd7076d8dd
                                                                • Instruction Fuzzy Hash: 8BC19174E01218CFDB14DFA9C955BADBBB2BF89300F2080A9D809AB355DB359E85CF50
                                                                Function 05A27880 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 46bb773d1186c28e1be57833147fa0f872769804926a7c77345f0eb8fde48bde
                                                                • Instruction ID: 2e73b909aa9750129d2fe7f17d56e30cc4a0cd033c7cdfd5d8982cf3e59ff8a9
                                                                • Opcode Fuzzy Hash: 46bb773d1186c28e1be57833147fa0f872769804926a7c77345f0eb8fde48bde
                                                                • Instruction Fuzzy Hash: 52C18F74E01218CFDB54DFA9C955BADBBB2FB89300F2080A9D409AB355DB356E85CF50
                                                                Function 05A27CD8 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 19be9b7ae5a724ad31c65daae96db2ab731d249d5052a90cc8ac489ed98ef204
                                                                • Instruction ID: f3fd83583328e1aea0407c621c3637346d63feabf290e2ce7d793e6961d6159a
                                                                • Opcode Fuzzy Hash: 19be9b7ae5a724ad31c65daae96db2ab731d249d5052a90cc8ac489ed98ef204
                                                                • Instruction Fuzzy Hash: B0C19074E04218CFDB14DFA9C995BADBBB2FB89300F1080A9D809AB355DB346E85CF51
                                                                Function 05A27428 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 81f265468799264fd1fa36372a4b9be0b984a2e8bf9b560962df430e391cb9ad
                                                                • Instruction ID: e4301da79a4c8ee27add10355cc184af386ba2b544ebcf1acd3ef4c09573c0d1
                                                                • Opcode Fuzzy Hash: 81f265468799264fd1fa36372a4b9be0b984a2e8bf9b560962df430e391cb9ad
                                                                • Instruction Fuzzy Hash: 9BC18074E00228CFDB54DFA9C955BADBBB2EB89300F1080A9D409AB355DB346E85CF51
                                                                Function 05A2F458 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 199569db8394557c2359883cc16f6cd29b2e0a09561593130fd767fcca4f2513
                                                                • Instruction ID: 585bbf9474620cf6a8652f32b4ae45e1a9b5d72432fc6d8bac43ad0b0e3520d4
                                                                • Opcode Fuzzy Hash: 199569db8394557c2359883cc16f6cd29b2e0a09561593130fd767fcca4f2513
                                                                • Instruction Fuzzy Hash: A8C19174E00218CFDB54DFA9C995BADBBB2BF89300F1080A9D809AB355DB349E85CF50
                                                                Function 05A2EBA8 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 002af49256dd33ae8047ad6d0a45446dfc0304fb86c469b1d282ee17046812a2
                                                                • Instruction ID: 80394af8dc6253dacdcb1e134168c8c0ea4fa76fa3312c6e13a5b9cd0231a1d2
                                                                • Opcode Fuzzy Hash: 002af49256dd33ae8047ad6d0a45446dfc0304fb86c469b1d282ee17046812a2
                                                                • Instruction Fuzzy Hash: B3C19074E00228CFDB54DFA9C955BADBBB2BF89300F1080A9D809AB355DB349E81CF51
                                                                Function 05A26FD0 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: c3440ea35731a6c5de235b0705dbdc53b36b97135be2da8609aa39837c48ff78
                                                                • Instruction ID: 253b60fb51097462839374e156744276ea6c545f977f3c744ee5b5e987dfed96
                                                                • Opcode Fuzzy Hash: c3440ea35731a6c5de235b0705dbdc53b36b97135be2da8609aa39837c48ff78
                                                                • Instruction Fuzzy Hash: 91C19074E00218CFDB14DFA9C955BADBBB2FB89300F1080A9D809AB355DB349E85CF51
                                                                Function 05A2E750 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 257a25e96fa8b3452436fd44d4845d761c9ea79c92b3fae003a567fdaa410642
                                                                • Instruction ID: 7ec242b3fc859aa58baa3e8095dbe7aa30071af47e299116a9721418ad8c867c
                                                                • Opcode Fuzzy Hash: 257a25e96fa8b3452436fd44d4845d761c9ea79c92b3fae003a567fdaa410642
                                                                • Instruction Fuzzy Hash: AFC19074E01218CFDB54DFA9C995BADBBB2BF89300F1080A9D409AB355DB359E85CF50
                                                                Function 05A25680 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3f7e72e8f84a2a4975f58166f385686d773de76da8bfb5951db3d9c946a7d1c1
                                                                • Instruction ID: 8f9466846bd5c5ef04416da3f03cf065fe7667d13cbf0146468da6c754f27a7b
                                                                • Opcode Fuzzy Hash: 3f7e72e8f84a2a4975f58166f385686d773de76da8bfb5951db3d9c946a7d1c1
                                                                • Instruction Fuzzy Hash: B7C19174E00218CFDB14DFA9D995BADBBB2BF89300F1080A9D809AB354DB349E85CF50
                                                                Function 05A2E2F8 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 93c09f23e2f2570ec9c3dddbe9937a032ecec1c8080f1e8921857692bb668249
                                                                • Instruction ID: e169151c61370ddf6774b471d1808da6eb9b34586c51bc20aa282dd6a45cc53f
                                                                • Opcode Fuzzy Hash: 93c09f23e2f2570ec9c3dddbe9937a032ecec1c8080f1e8921857692bb668249
                                                                • Instruction Fuzzy Hash: 71C18174E00218CFDB54DFA9C955BADBBB2BF89300F1080A9D809AB355DB359E85CF51
                                                                Function 05A25228 Relevance: .3, Instructions: 268COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2520827063.0000000005A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A20000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5a20000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 459804b0e5b09e29a8bac5fc4247b5285aa2b6e6a71c1e3af503a7e429fa6d98
                                                                • Instruction ID: b1255ea987cb55c91221bbab840da0eeee16132153ad0a510b7e4e4d85fcd017
                                                                • Opcode Fuzzy Hash: 459804b0e5b09e29a8bac5fc4247b5285aa2b6e6a71c1e3af503a7e429fa6d98
                                                                • Instruction Fuzzy Hash: 04C19074E00218CFDB14DFA9C954BADBBB2BF89300F1090A9D809AB355DB359E85CF50
                                                                Function 05FF869F Relevance: .1, Instructions: 55COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5c261b7f9da64bc31dd6cf2079f436e9f6cf5c694c9fb84a3ef5b40103187e67
                                                                • Instruction ID: e95d596b47e402e4b6ad37ee02156403ca3284e8b233acb40c350008eb2c6be9
                                                                • Opcode Fuzzy Hash: 5c261b7f9da64bc31dd6cf2079f436e9f6cf5c694c9fb84a3ef5b40103187e67
                                                                • Instruction Fuzzy Hash: 791100719512088FCB61AF60E81C3BE7FB0EB0A302F1069A9E409A3595C7388A44CF60
                                                                Function 05FF8728 Relevance: .0, Instructions: 42COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2521203119.0000000005FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FF0000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_5ff0000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 5e1e363dbc3a1c14646f194b963dcc6829b4455c0a0f649d7bf4f678f0872cc5
                                                                • Instruction ID: 60f82c5a731a833d64f844f8791e39e3f863c51cafbe40448a017ad790f7144e
                                                                • Opcode Fuzzy Hash: 5e1e363dbc3a1c14646f194b963dcc6829b4455c0a0f649d7bf4f678f0872cc5
                                                                • Instruction Fuzzy Hash: 6C018171D11208DFDB55AFA0E45C3BE7BB0EB0A313F106859940AA3194DB344A44CF50
                                                                Function 01851A40 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2518102897.0000000001850000.00000040.00000800.00020000.00000000.sdmp, Offset: 01850000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_1850000_PDF6UU0CVUO2W-YGVUIO.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: Xq$Xq$Xq$Xq
                                                                • API String ID: 0-3965792415
                                                                • Opcode ID: a5a160f6240719f257ba65c5fc02ce6c2ca14ae8c95b073e3efab837ef5d6884
                                                                • Instruction ID: f4b7072001072fe3811afbf7dd7e0dd792725c5fc3d0044fa8b307372695ba25
                                                                • Opcode Fuzzy Hash: a5a160f6240719f257ba65c5fc02ce6c2ca14ae8c95b073e3efab837ef5d6884
                                                                • Instruction Fuzzy Hash: 93315670D003198FEFB69B6984593AEB7F6EB84310F1440A58949E7251EF708B85CB93