Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe

Overview

General Information

Sample name:MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
Analysis ID:1592411
MD5:a81a0f916354b1ee0232c5eae992c365
SHA1:36199281d68f7e2f663e76756d6a5f4561cdf236
SHA256:3cfe012c870ebeb15a1288b7cdb3b50016e2329c7fbd63ef18f189727269d49c
Tags:exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected MassLogger RAT
Yara detected Telegram RAT
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "Port": 587}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0xf061:$a1: get_encryptedPassword
        • 0xf389:$a2: get_encryptedUsername
        • 0xedea:$a3: get_timePasswordChanged
        • 0xef0b:$a4: get_passwordField
        • 0xf077:$a5: set_encryptedPassword
        • 0x109dc:$a7: get_logins
        • 0x1068d:$a8: GetOutlookPasswords
        • 0x1047f:$a9: StartKeylogger
        • 0x1092c:$a10: KeyLoggerEventArgs
        • 0x104dc:$a11: KeyLoggerEventArgsEventHandler
        00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          Click to see the 12 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xd461:$a1: get_encryptedPassword
                • 0xd789:$a2: get_encryptedUsername
                • 0xd1ea:$a3: get_timePasswordChanged
                • 0xd30b:$a4: get_passwordField
                • 0xd477:$a5: set_encryptedPassword
                • 0xeddc:$a7: get_logins
                • 0xea8d:$a8: GetOutlookPasswords
                • 0xe87f:$a9: StartKeylogger
                • 0xed2c:$a10: KeyLoggerEventArgs
                • 0xe8dc:$a11: KeyLoggerEventArgsEventHandler
                0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x124b3:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x119b1:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x11cbf:$a4: \Orbitum\User Data\Default\Login Data
                • 0x12ab7:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 20 entries

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-16T05:22:01.198627+010028032742Potentially Bad Traffic192.168.2.449730193.122.130.080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeAvira: detected
                Found malware configuration
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "hubservices@navecepa.com", "Password": "yiwLgN*rC4", "Server": "smtp.navecepa.com", "Port": 587}
                Multi AV Scanner detection for submitted file
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeVirustotal: Detection: 48%Perma Link
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeReversingLabs: Detection: 34%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                Machine Learning detection for sample
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.0
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688730717.0000000003051000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1689915581.0000000005640000.00000004.08000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 01468922h1_2_01468508
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 014681F9h1_2_01467F48
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 01468922h1_2_014684F8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 01468922h1_2_0146884F
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 0146FAF8h1_2_0146F7F8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D43861h1_2_05D435B8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D46768h1_2_05D464C0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4E798h1_2_05D4E4F0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4DA90h1_2_05D4D7E8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D44A55h1_2_05D44718
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4F8F8h1_2_05D4F650
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D47470h1_2_05D471C8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4F4A0h1_2_05D4F1F8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D43409h1_2_05D43160
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4E340h1_2_05D4E098
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D46310h1_2_05D46068
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4D638h1_2_05D4D390
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D44569h1_2_05D442C0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4D1E0h1_2_05D4CDC0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4F048h1_2_05D4EDA0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D47018h1_2_05D46D70
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4DEE8h1_2_05D4DC40
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D45EB8h1_2_05D45C10
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D45EB8h1_2_05D45E55
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D44111h1_2_05D43E68
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4EBF0h1_2_05D4E948
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D46BC0h1_2_05D46918
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D4FD50h1_2_05D4FAA8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 4x nop then jmp 05D43CB9h1_2_05D43A10
                Source: global trafficTCP traffic: 192.168.2.4:56925 -> 162.159.36.2:53
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 104.21.48.1 104.21.48.1
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 193.122.130.0:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49731 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000326B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000326B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 1.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 1.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7556, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 0_2_01477AE80_2_01477AE8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 0_2_01477AD80_2_01477AD8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_0146AC081_2_0146AC08
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_0146F1281_2_0146F128
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_014619B81_2_014619B8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_01467F481_2_01467F48
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_0146E7701_2_0146E770
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_0146E7801_2_0146E780
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_0146ABF81_2_0146ABF8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_01462DD11_2_01462DD1
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_0146EF081_2_0146EF08
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_0146F7F81_2_0146F7F8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_0146F6FE1_2_0146F6FE
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_01467F371_2_01467F37
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D476201_2_05D47620
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4A8A01_2_05D4A8A0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D49B401_2_05D49B40
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D435B81_2_05D435B8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D435A71_2_05D435A7
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D464C01_2_05D464C0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4E4F01_2_05D4E4F0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4E4E11_2_05D4E4E1
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D464B01_2_05D464B0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4D7D81_2_05D4D7D8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4D7E81_2_05D4D7E8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D447181_2_05D44718
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D447081_2_05D44708
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4F6501_2_05D4F650
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4F6411_2_05D4F641
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D471C81_2_05D471C8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4F1F81_2_05D4F1F8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4F1E91_2_05D4F1E9
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D471B81_2_05D471B8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D431501_2_05D43150
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D431601_2_05D43160
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4E0981_2_05D4E098
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4E0881_2_05D4E088
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D460591_2_05D46059
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D400401_2_05D40040
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D460681_2_05D46068
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D400061_2_05D40006
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4D3901_2_05D4D390
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4D3801_2_05D4D380
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D442C01_2_05D442C0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D442AF1_2_05D442AF
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4CDC01_2_05D4CDC0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4ED901_2_05D4ED90
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4EDA01_2_05D4EDA0
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D46D701_2_05D46D70
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D44D781_2_05D44D78
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D46D601_2_05D46D60
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D44D681_2_05D44D68
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4DC401_2_05D4DC40
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D44C6A1_2_05D44C6A
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D45C101_2_05D45C10
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D45C001_2_05D45C00
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4DC301_2_05D4DC30
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D43E581_2_05D43E58
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D43E681_2_05D43E68
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4E9481_2_05D4E948
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D469181_2_05D46918
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D469081_2_05D46908
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4E9381_2_05D4E938
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4FA981_2_05D4FA98
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D4FAA81_2_05D4FAA8
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D43A101_2_05D43A10
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_05D43A001_2_05D43A00
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688430987.0000000002E90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAntiBossing.dll8 vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688730717.0000000003051000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1689915581.000000000564C000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688730717.0000000003081000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePoses.dll, vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688730717.0000000003081000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1687481772.0000000001359000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametenE6 vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000000.1684495705.0000000000D2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametenEleven.exe4 vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1687481772.00000000012CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2923641724.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2923791566.0000000000FC7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeBinary or memory string: OriginalFilenametenEleven.exe4 vs MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 1.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 1.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7524, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7556, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/1@3/2
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.logJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeMutant created: NULL
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.00000000032BF000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.00000000032AF000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.00000000032CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeVirustotal: Detection: 48%
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeReversingLabs: Detection: 34%
                Source: unknownProcess created: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe "C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe"
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess created: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe "C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe"
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess created: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe "C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: G:\IMPORTANT SRC\GOOD Nova\Crypter\Stubs Fully\Public\Public Runpe\PR\PR\obj\Debug\Poses.pdb source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688730717.0000000003051000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1689915581.0000000005640000.00000004.08000000.00040000.00000000.sdmp
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic PE information: 0x95727CE5 [Mon Jun 14 18:31:01 2049 UTC]
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeStatic PE information: section name: .text entropy: 7.790287157093613
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeFile created: \mv. asl rose - vessel's desc.pdf.scr.exe
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeFile created: \mv. asl rose - vessel's desc.pdf.scr.exeJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeMemory allocated: 1470000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeMemory allocated: 5050000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeMemory allocated: 1460000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeMemory allocated: 2FC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe TID: 7544Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2924455964.00000000014A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllecture=MSIL"/>
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeCode function: 1_2_0146F128 LdrInitializeThunk,LdrInitializeThunk,1_2_0146F128
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeMemory written: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeProcess created: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe "C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7524, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7556, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7524, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7556, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2925288790.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7524, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7556, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected MassLogger RAT
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7524, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7556, type: MEMORYSTR
                Yara detected Telegram RAT
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.4172290.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.415b460.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7524, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe PID: 7556, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading                		111
                Process Injection                		1
                Masquerading                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Email Collection                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading                		1
                Disable or Modify Tools                		LSASS Memory1
                Security Software Discovery                		Remote Desktop Protocol1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA Secrets1
                System Network Configuration Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                Software Packing                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Timestomp                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe49%VirustotalBrowse
                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe34%ReversingLabsByteCode-MSIL.Infostealer.Tinba
                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe100%AviraHEUR/AGEN.1308776
                MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://reallyfreegeoip.orgd0%Avira URL Cloudsafe
                http://checkip.dyndns.orgd0%Avira URL Cloudsafe
                http://checkip.dyndns.comd0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		104.21.48.1
                		truefalse
                  		high
                  checkip.dyndns.com
                  		193.122.130.0
                  		truefalse
                    		high
                    15.164.165.52.in-addr.arpa
                    		unknown
                    		unknownfalse
                      		high
                      checkip.dyndns.org
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.org/false
                          		high
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://reallyfreegeoip.org/xml/8.46.123.189lMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://checkip.dyndns.comdMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://checkip.dyndns.org/qMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                http://reallyfreegeoip.orgdMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000326B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://reallyfreegeoip.org/xml/8.46.123.189dMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000326B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://checkip.dyndns.orgdMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://reallyfreegeoip.orgMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://checkip.dyndns.orgMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.comMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.org/dMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/bot-/sendDocument?chat_id=MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                		high
                                                https://reallyfreegeoip.org/xml/MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2925288790.000000000324F000.00000004.00000800.00020000.00000000.sdmp, MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe, 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  104.21.48.1
                                                  		reallyfreegeoip.orgUnited States
                                                  		13335CLOUDFLARENETUSfalse
                                                  193.122.130.0
                                                  		checkip.dyndns.comUnited States
                                                  		31898ORACLE-BMC-31898USfalse

                                                  General Information

                                                  Joe Sandbox version:42.0.0 Malachite
                                                  Analysis ID:1592411
                                                  Start date and time:2025-01-16 05:21:07 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 5m 7s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:6
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@3/1@3/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 46
                                                  • Number of non-executed functions: 26
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                  • Excluded IPs from analysis (whitelisted): 172.202.163.200, 52.165.164.15, 20.12.23.50, 13.107.246.45
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  No simulations

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  104.21.48.1ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                  • www.vilakodsiy.sbs/vq3j/
                                                  NWPZbNcRxL.exeGet hashmaliciousFormBookBrowse
                                                  • www.axis138ae.shop/j2vs/
                                                  SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                  • twirpx.org/administrator/index.php
                                                  SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                  • www.antipromil.site/7ykh/
                                                  193.122.130.0PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • checkip.dyndns.org/
                                                  PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • checkip.dyndns.org/
                                                  1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                  • checkip.dyndns.org/
                                                  50201668.exeGet hashmaliciousMassLogger RATBrowse
                                                  • checkip.dyndns.org/
                                                  MB263350411AE_1.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • checkip.dyndns.org/
                                                  slime crypted.exeGet hashmaliciousMassLogger RATBrowse
                                                  • checkip.dyndns.org/
                                                  MB263350411AE.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • checkip.dyndns.org/
                                                  Remittance Advice.exeGet hashmaliciousMassLogger RATBrowse
                                                  • checkip.dyndns.org/
                                                  h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                  • checkip.dyndns.org/
                                                  x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • checkip.dyndns.org/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  checkip.dyndns.comNew PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 158.101.44.242
                                                  WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 132.226.8.169
                                                  MV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 193.122.6.168
                                                  order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 132.226.247.73
                                                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 193.122.6.168
                                                  BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                  • 132.226.247.73
                                                  NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 132.226.247.73
                                                  Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 158.101.44.242
                                                  PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 193.122.130.0
                                                  PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 193.122.130.0
                                                  reallyfreegeoip.orgNew PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 104.21.32.1
                                                  WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.64.1
                                                  order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 104.21.48.1
                                                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 104.21.32.1
                                                  BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.16.1
                                                  NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.96.1
                                                  Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 104.21.112.1
                                                  PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 104.21.96.1
                                                  PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 104.21.80.1
                                                  1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                  • 104.21.112.1

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  CLOUDFLARENETUShttps://guf1.xemirax.ru/6XAVE/#S#ZWRtb25kLmxlZUBpbm5vY2FwLmNvbQ==Get hashmaliciousUnknownBrowse
                                                  • 104.17.25.14
                                                  https://yt1s.com/en115Get hashmaliciousUnknownBrowse
                                                  • 104.21.11.245
                                                  New PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 104.21.32.1
                                                  Pedang @ P#U00ecsau.exeGet hashmaliciousBrontokBrowse
                                                  • 104.21.48.1
                                                  WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.64.1
                                                  order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 104.21.16.1
                                                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 104.21.32.1
                                                  Subscription_Renewal_Invoice_2025_FGHDCS.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 104.17.25.14
                                                  https://yogalisbon.gitcz.pw/sign-inGet hashmaliciousUnknownBrowse
                                                  • 104.21.112.1
                                                  http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887Get hashmaliciousHTMLPhisherBrowse
                                                  • 188.114.97.3
                                                  ORACLE-BMC-31898USNew PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 158.101.44.242
                                                  MV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 193.122.6.168
                                                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 193.122.6.168
                                                  Execute.ps1Get hashmaliciousMetasploitBrowse
                                                  • 158.101.196.44
                                                  Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 158.101.44.242
                                                  PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 193.122.130.0
                                                  PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 193.122.130.0
                                                  1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                  • 193.122.130.0
                                                  Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 193.122.6.168
                                                  Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 193.122.6.168

                                                  JA3 Fingerprints

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  54328bd36c14bd82ddaa0c04b25ed9adNew PO.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 104.21.48.1
                                                  WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.48.1
                                                  order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 104.21.48.1
                                                  Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                                  • 104.21.48.1
                                                  BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.48.1
                                                  NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.48.1
                                                  Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                  • 104.21.48.1
                                                  PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                  • 104.21.48.1
                                                  1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                                  • 104.21.48.1
                                                  Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 104.21.48.1

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):609
                                                  Entropy (8bit):5.356231720746034
                                                  Encrypted:false
                                                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKharkvoDLI4MWuCq1KDLI4M6:ML9E4KlKDE4KhKiKhIE4Kx1qE4j
                                                  MD5:96CC94FC13A30D01C0D672AE291242F6
                                                  SHA1:96A1D1362646EB1904805C8D008A1C23B6818CD6
                                                  SHA-256:87AC5F82270362FA03819438BBF1AF7BFE89F3B2116BD08BCCA4836DB38CDDE7
                                                  SHA-512:D70D9B54A67AAD21444B6BDE3FA72AED2BEA5AE851646D1145D6280C0A72C3C0CB643E1930BAE23795A842C7F6B37C3D33104372CF8221B898890710126BC957
                                                  Malicious:true
                                                  Reputation:low
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.775341999193462
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                                                  File size:235'520 bytes
                                                  MD5:a81a0f916354b1ee0232c5eae992c365
                                                  SHA1:36199281d68f7e2f663e76756d6a5f4561cdf236
                                                  SHA256:3cfe012c870ebeb15a1288b7cdb3b50016e2329c7fbd63ef18f189727269d49c
                                                  SHA512:b10f7f9bee31068396d1583b2ee230bb787ad4842eb27f7618a145badf9825aedf4c4f94ba27d6fa1755c06e0a432b133413d90f3d827dd3fe0dfb35cd1b2089
                                                  SSDEEP:3072:B8C9NzwHKpHbwVAeu0Y8GC1UyAd9g8QwOGYpKDBvO6AR+xx7CG9Uv3tSsPT:1NhpHYAbm1Uld9grwpBvO66cZEdn
                                                  TLSH:DF3418D482FC8D0AD96788B479BAA3F711B8788D1735E423230386B50D9176867BCF5B
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....|r...............0..h..........~.... ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:2e272325acd37560

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x43867e
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x95727CE5 [Mon Jun 14 18:31:01 2049 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x386300x4b.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x2bc0.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x3e0000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x366840x368008923e8cb3a8ee727b043c840a2acf707False0.7070222907110092data7.790287157093613IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x3a0000x2bc00x2c0075aea0495ac80e5dd3730772defbfb97False0.9067826704545454data7.623650691699043IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x3e0000xc0x200ccd6070a380d8d5eb329b2851ccebc95False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x3a1300x2574PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9800792657488527
                                                  RT_GROUP_ICON0x3c6a40x14data0.9
                                                  RT_VERSION0x3c6b80x31cdata0.4258793969849246
                                                  RT_MANIFEST0x3c9d40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-01-16T05:22:01.198627+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730193.122.130.080TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 16, 2025 05:22:00.593323946 CET4973080192.168.2.4193.122.130.0
                                                  Jan 16, 2025 05:22:00.599281073 CET8049730193.122.130.0192.168.2.4
                                                  Jan 16, 2025 05:22:00.599380016 CET4973080192.168.2.4193.122.130.0
                                                  Jan 16, 2025 05:22:00.599602938 CET4973080192.168.2.4193.122.130.0
                                                  Jan 16, 2025 05:22:00.605365038 CET8049730193.122.130.0192.168.2.4
                                                  Jan 16, 2025 05:22:01.053620100 CET8049730193.122.130.0192.168.2.4
                                                  Jan 16, 2025 05:22:01.057292938 CET4973080192.168.2.4193.122.130.0
                                                  Jan 16, 2025 05:22:01.062232971 CET8049730193.122.130.0192.168.2.4
                                                  Jan 16, 2025 05:22:01.156481981 CET8049730193.122.130.0192.168.2.4
                                                  Jan 16, 2025 05:22:01.165532112 CET49731443192.168.2.4104.21.48.1
                                                  Jan 16, 2025 05:22:01.165589094 CET44349731104.21.48.1192.168.2.4
                                                  Jan 16, 2025 05:22:01.165824890 CET49731443192.168.2.4104.21.48.1
                                                  Jan 16, 2025 05:22:01.175362110 CET49731443192.168.2.4104.21.48.1
                                                  Jan 16, 2025 05:22:01.175401926 CET44349731104.21.48.1192.168.2.4
                                                  Jan 16, 2025 05:22:01.198626995 CET4973080192.168.2.4193.122.130.0
                                                  Jan 16, 2025 05:22:01.636190891 CET44349731104.21.48.1192.168.2.4
                                                  Jan 16, 2025 05:22:01.636281967 CET49731443192.168.2.4104.21.48.1
                                                  Jan 16, 2025 05:22:01.642519951 CET49731443192.168.2.4104.21.48.1
                                                  Jan 16, 2025 05:22:01.642532110 CET44349731104.21.48.1192.168.2.4
                                                  Jan 16, 2025 05:22:01.642862082 CET44349731104.21.48.1192.168.2.4
                                                  Jan 16, 2025 05:22:01.682853937 CET49731443192.168.2.4104.21.48.1
                                                  Jan 16, 2025 05:22:01.692341089 CET49731443192.168.2.4104.21.48.1
                                                  Jan 16, 2025 05:22:01.735347033 CET44349731104.21.48.1192.168.2.4
                                                  Jan 16, 2025 05:22:01.801872969 CET44349731104.21.48.1192.168.2.4
                                                  Jan 16, 2025 05:22:01.801919937 CET44349731104.21.48.1192.168.2.4
                                                  Jan 16, 2025 05:22:01.801975012 CET49731443192.168.2.4104.21.48.1
                                                  Jan 16, 2025 05:22:01.814264059 CET49731443192.168.2.4104.21.48.1
                                                  Jan 16, 2025 05:22:33.800167084 CET5692553192.168.2.4162.159.36.2
                                                  Jan 16, 2025 05:22:33.805073023 CET5356925162.159.36.2192.168.2.4
                                                  Jan 16, 2025 05:22:33.805155039 CET5692553192.168.2.4162.159.36.2
                                                  Jan 16, 2025 05:22:33.810103893 CET5356925162.159.36.2192.168.2.4
                                                  Jan 16, 2025 05:22:34.268959045 CET5692553192.168.2.4162.159.36.2
                                                  Jan 16, 2025 05:22:34.274138927 CET5356925162.159.36.2192.168.2.4
                                                  Jan 16, 2025 05:22:34.274226904 CET5692553192.168.2.4162.159.36.2
                                                  Jan 16, 2025 05:23:06.155477047 CET8049730193.122.130.0192.168.2.4
                                                  Jan 16, 2025 05:23:06.155596018 CET4973080192.168.2.4193.122.130.0
                                                  Jan 16, 2025 05:23:41.167717934 CET4973080192.168.2.4193.122.130.0
                                                  Jan 16, 2025 05:23:41.172877073 CET8049730193.122.130.0192.168.2.4

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 16, 2025 05:22:00.577281952 CET5551253192.168.2.41.1.1.1
                                                  Jan 16, 2025 05:22:00.584521055 CET53555121.1.1.1192.168.2.4
                                                  Jan 16, 2025 05:22:01.157799959 CET4968553192.168.2.41.1.1.1
                                                  Jan 16, 2025 05:22:01.165002108 CET53496851.1.1.1192.168.2.4
                                                  Jan 16, 2025 05:22:33.799551010 CET5353576162.159.36.2192.168.2.4
                                                  Jan 16, 2025 05:22:34.312478065 CET5923553192.168.2.41.1.1.1
                                                  Jan 16, 2025 05:22:34.320681095 CET53592351.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 16, 2025 05:22:00.577281952 CET192.168.2.41.1.1.10xcc95Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:01.157799959 CET192.168.2.41.1.1.10xe648Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:34.312478065 CET192.168.2.41.1.1.10x3ab6Standard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 16, 2025 05:22:00.584521055 CET1.1.1.1192.168.2.40xcc95No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                  Jan 16, 2025 05:22:00.584521055 CET1.1.1.1192.168.2.40xcc95No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:00.584521055 CET1.1.1.1192.168.2.40xcc95No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:00.584521055 CET1.1.1.1192.168.2.40xcc95No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:00.584521055 CET1.1.1.1192.168.2.40xcc95No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:00.584521055 CET1.1.1.1192.168.2.40xcc95No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:01.165002108 CET1.1.1.1192.168.2.40xe648No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:01.165002108 CET1.1.1.1192.168.2.40xe648No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:01.165002108 CET1.1.1.1192.168.2.40xe648No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:01.165002108 CET1.1.1.1192.168.2.40xe648No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:01.165002108 CET1.1.1.1192.168.2.40xe648No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:01.165002108 CET1.1.1.1192.168.2.40xe648No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:01.165002108 CET1.1.1.1192.168.2.40xe648No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                  Jan 16, 2025 05:22:34.320681095 CET1.1.1.1192.168.2.40x3ab6Name error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • reallyfreegeoip.org
                                                  • checkip.dyndns.org

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449730193.122.130.0807556C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 16, 2025 05:22:00.599602938 CET151OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Connection: Keep-Alive
                                                  Jan 16, 2025 05:22:01.053620100 CET321INHTTP/1.1 200 OK
                                                  Date: Thu, 16 Jan 2025 04:22:01 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 104
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  X-Request-ID: 6946dc2e9c1addb7056957b7c85b22cb
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                  Jan 16, 2025 05:22:01.057292938 CET127OUTGET / HTTP/1.1
                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                  Host: checkip.dyndns.org
                                                  Jan 16, 2025 05:22:01.156481981 CET321INHTTP/1.1 200 OK
                                                  Date: Thu, 16 Jan 2025 04:22:01 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 104
                                                  Connection: keep-alive
                                                  Cache-Control: no-cache
                                                  Pragma: no-cache
                                                  X-Request-ID: 80593c069250adf48a247b4dc38e1d74
                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                  HTTPS Proxied Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449731104.21.48.14437556C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                                                  TimestampBytes transferredDirectionData
                                                  2025-01-16 04:22:01 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                  Host: reallyfreegeoip.org
                                                  Connection: Keep-Alive
                                                  2025-01-16 04:22:01 UTC853INHTTP/1.1 200 OK
                                                  Date: Thu, 16 Jan 2025 04:22:01 GMT
                                                  Content-Type: text/xml
                                                  Content-Length: 362
                                                  Connection: close
                                                  Age: 2316110
                                                  Cache-Control: max-age=31536000
                                                  cf-cache-status: HIT
                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Be6afJhFfPeCshp0QoxlGljg8HfPu329EdySa0pps3N18jOQ8ZdHWES6OTt8Uv2vCYzoQfLRb40gr85AiVkK9ec%2BF0m88elUanOGYyUqHIaDO2p6qlnVBtNobJZhSlifK0%2FjzXNy"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 902b5274ef13c323-EWR
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1512&min_rtt=1510&rtt_var=570&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1910994&cwnd=214&unsent_bytes=0&cid=f3ff73b1847cb5e5&ts=177&x=0"
                                                  2025-01-16 04:22:01 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:23:21:59
                                                  Start date:15/01/2025
                                                  Path:C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe"
                                                  Imagebase:0xcf0000
                                                  File size:235'520 bytes
                                                  MD5 hash:A81A0F916354B1EE0232C5EAE992C365
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1688815803.0000000004144000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:23:21:59
                                                  Start date:15/01/2025
                                                  Path:C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\MV. ASL ROSE - VESSEL'S DESC.pdf.scr.exe"
                                                  Imagebase:0xe00000
                                                  File size:235'520 bytes
                                                  MD5 hash:A81A0F916354B1EE0232C5EAE992C365
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000001.00000002.2923641724.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2925288790.00000000032F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:9.2%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:81.8%
                                                    Total number of Nodes:33
                                                    Total number of Limit Nodes:0
                                                    execution_graph 7689 1477ae8 7690 1477b1b 7689->7690 7718 147764f 7690->7718 7722 1477658 7690->7722 7691 1477c99 7692 1477dbb 7691->7692 7716 1477080 Wow64SetThreadContext 7691->7716 7717 1477088 Wow64SetThreadContext 7691->7717 7706 1477420 ReadProcessMemory 7692->7706 7707 1477428 ReadProcessMemory 7692->7707 7693 1477ee5 7704 14771b0 VirtualAllocEx 7693->7704 7705 14771ab VirtualAllocEx 7693->7705 7694 147806b 7708 14772d0 WriteProcessMemory 7694->7708 7709 14772cb WriteProcessMemory 7694->7709 7695 1478379 7712 14772d0 WriteProcessMemory 7695->7712 7713 14772cb WriteProcessMemory 7695->7713 7696 14783b7 7698 14784b5 7696->7698 7714 1477080 Wow64SetThreadContext 7696->7714 7715 1477088 Wow64SetThreadContext 7696->7715 7697 147814d 7697->7695 7710 14772d0 WriteProcessMemory 7697->7710 7711 14772cb WriteProcessMemory 7697->7711 7702 1476f90 ResumeThread 7698->7702 7703 1476f98 ResumeThread 7698->7703 7699 14785b2 7702->7699 7703->7699 7704->7694 7705->7694 7706->7693 7707->7693 7708->7697 7709->7697 7710->7697 7711->7697 7712->7696 7713->7696 7714->7698 7715->7698 7716->7692 7717->7692 7719 14776df CreateProcessA 7718->7719 7721 1477934 7719->7721 7723 14776df CreateProcessA 7722->7723 7725 1477934 7723->7725

                                                    Executed Functions

                                                    Function 01477AE8 Relevance: 1.9, Strings: 1, Instructions: 650COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 37 1477ae8-1477b19 38 1477b20-1477c94 37->38 39 1477b1b 37->39 157 1477c97 call 147764f 38->157 158 1477c97 call 1477658 38->158 39->38 44 1477c99-1477cb9 45 1477cfd-1477d67 44->45 46 1477cbb-1477cf2 44->46 53 1477d6e-1477d9a 45->53 54 1477d69 45->54 46->45 56 1477e25-1477e60 53->56 57 1477da0-1477db6 53->57 54->53 60 1477ea3 56->60 61 1477e62-1477e98 56->61 173 1477db9 call 1477080 57->173 174 1477db9 call 1477088 57->174 59 1477dbb-1477ddb 62 1477e1e-1477e20 59->62 63 1477ddd-1477e13 59->63 64 1477ea4-1477eae 60->64 61->60 62->64 63->62 65 1477eb5-1477ee0 64->65 66 1477eb0 64->66 163 1477ee3 call 1477420 65->163 164 1477ee3 call 1477428 65->164 66->65 69 1477ee5-1477f05 72 1477f07-1477f3d 69->72 73 1477f48-1477f61 69->73 72->73 75 1477f67-1477fc4 73->75 76 1478008-1478066 73->76 85 1478007 75->85 86 1477fc6-1477ffc 75->86 161 1478069 call 14771b0 76->161 162 1478069 call 14771ab 76->162 85->76 86->85 87 147806b-1478091 88 1478097-14780e8 87->88 89 147812c-1478148 87->89 96 147812b 88->96 97 14780ea-1478120 88->97 165 147814b call 14772d0 89->165 166 147814b call 14772cb 89->166 91 147814d-147816d 94 14781b0-14781e5 91->94 95 147816f-14781a5 91->95 102 1478357-1478373 94->102 95->94 96->89 97->96 103 14781ea-147826e 102->103 104 1478379-14783b2 102->104 116 1478274-14782e3 103->116 117 147834c-1478351 103->117 169 14783b5 call 14772d0 104->169 170 14783b5 call 14772cb 104->170 111 14783b7-14783d7 113 147841a-147844a 111->113 114 14783d9-147840f 111->114 120 1478452-1478462 113->120 121 147844c-147844f 113->121 114->113 167 14782e6 call 14772d0 116->167 168 14782e6 call 14772cb 116->168 117->102 123 1478464 120->123 124 1478469-1478494 120->124 121->120 123->124 129 147851f-147855a 124->129 130 147849a-14784b0 124->130 136 147859d 129->136 137 147855c-1478592 129->137 171 14784b3 call 1477080 130->171 172 14784b3 call 1477088 130->172 131 14782e8-1478308 133 147834b 131->133 134 147830a-1478340 131->134 133->117 134->133 135 14784b5-14784d5 138 14784d7-147850d 135->138 139 1478518-147851a 135->139 140 147859e-14785ad 136->140 137->136 138->139 139->140 159 14785b0 call 1476f90 140->159 160 14785b0 call 1476f98 140->160 144 14785b2-14785d2 147 1478615-1478685 144->147 148 14785d4-147860a 144->148 148->147 157->44 158->44 159->144 160->144 161->87 162->87 163->69 164->69 165->91 166->91 167->131 168->131 169->111 170->111 171->135 172->135 173->59 174->59
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (
                                                    • API String ID: 0-3887548279
                                                    • Opcode ID: 6e46b03258497c141a345201e804bd47d3624cf56257447e58841e982da805eb
                                                    • Instruction ID: f82c06115e67b66c9c8b759c1b0474f4405b67d947a3b6e12293ef656a7c26f3
                                                    • Opcode Fuzzy Hash: 6e46b03258497c141a345201e804bd47d3624cf56257447e58841e982da805eb
                                                    • Instruction Fuzzy Hash: 5A62D474E012288FDB64DF69C954BDDBBB2FB89300F1085EAD409AB295DB359E85CF40
                                                    Function 01477AD8 Relevance: .5, Instructions: 520COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ebfdd12bb7aa3675c5087aec6e8f930e1d01742b74227c9c83033b5aac3c8d9
                                                    • Instruction ID: 09f31dc4f3c24f473caabdfc7e412cced35705016c7b39c72d5e8fb64364959c
                                                    • Opcode Fuzzy Hash: 7ebfdd12bb7aa3675c5087aec6e8f930e1d01742b74227c9c83033b5aac3c8d9
                                                    • Instruction Fuzzy Hash: 4D42D274E012288FDB64DF69C954BDDBBB2BF89300F1085EAD509AB294DB359E85CF40
                                                    Function 0147764F Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 175 147764f-14776f1 177 14776f3-147770a 175->177 178 147773a-1477762 175->178 177->178 181 147770c-1477711 177->181 182 1477764-1477778 178->182 183 14777a8-14777fe 178->183 184 1477734-1477737 181->184 185 1477713-147771d 181->185 182->183 190 147777a-147777f 182->190 192 1477844-1477932 CreateProcessA 183->192 193 1477800-1477814 183->193 184->178 186 1477721-1477730 185->186 187 147771f 185->187 186->186 191 1477732 186->191 187->186 194 14777a2-14777a5 190->194 195 1477781-147778b 190->195 191->184 211 1477934-147793a 192->211 212 147793b-1477a20 192->212 193->192 201 1477816-147781b 193->201 194->183 196 147778f-147779e 195->196 197 147778d 195->197 196->196 200 14777a0 196->200 197->196 200->194 203 147783e-1477841 201->203 204 147781d-1477827 201->204 203->192 205 147782b-147783a 204->205 206 1477829 204->206 205->205 207 147783c 205->207 206->205 207->203 211->212 224 1477a22-1477a26 212->224 225 1477a30-1477a34 212->225 224->225 226 1477a28 224->226 227 1477a36-1477a3a 225->227 228 1477a44-1477a48 225->228 226->225 227->228 229 1477a3c 227->229 230 1477a4a-1477a4e 228->230 231 1477a58-1477a5c 228->231 229->228 230->231 234 1477a50 230->234 232 1477a92-1477a9d 231->232 233 1477a5e-1477a87 231->233 238 1477a9e 232->238 233->232 234->231 238->238
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0147791F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 7d1545da21077ac93063e31d3c22ec40982cc9e15c251754d9d1f43287123ac9
                                                    • Instruction ID: 699d3b80247745d7fb6fbc3a5e249cf40ea70991d110324b08702042d341e538
                                                    • Opcode Fuzzy Hash: 7d1545da21077ac93063e31d3c22ec40982cc9e15c251754d9d1f43287123ac9
                                                    • Instruction Fuzzy Hash: D6C13771D0022D8FDB20DFA8C945BEEBBB1BF09300F0495AAE549B7250DB749A85CF95
                                                    Function 01477658 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 239 1477658-14776f1 241 14776f3-147770a 239->241 242 147773a-1477762 239->242 241->242 245 147770c-1477711 241->245 246 1477764-1477778 242->246 247 14777a8-14777fe 242->247 248 1477734-1477737 245->248 249 1477713-147771d 245->249 246->247 254 147777a-147777f 246->254 256 1477844-1477932 CreateProcessA 247->256 257 1477800-1477814 247->257 248->242 250 1477721-1477730 249->250 251 147771f 249->251 250->250 255 1477732 250->255 251->250 258 14777a2-14777a5 254->258 259 1477781-147778b 254->259 255->248 275 1477934-147793a 256->275 276 147793b-1477a20 256->276 257->256 265 1477816-147781b 257->265 258->247 260 147778f-147779e 259->260 261 147778d 259->261 260->260 264 14777a0 260->264 261->260 264->258 267 147783e-1477841 265->267 268 147781d-1477827 265->268 267->256 269 147782b-147783a 268->269 270 1477829 268->270 269->269 271 147783c 269->271 270->269 271->267 275->276 288 1477a22-1477a26 276->288 289 1477a30-1477a34 276->289 288->289 290 1477a28 288->290 291 1477a36-1477a3a 289->291 292 1477a44-1477a48 289->292 290->289 291->292 293 1477a3c 291->293 294 1477a4a-1477a4e 292->294 295 1477a58-1477a5c 292->295 293->292 294->295 298 1477a50 294->298 296 1477a92-1477a9d 295->296 297 1477a5e-1477a87 295->297 302 1477a9e 296->302 297->296 298->295 302->302
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0147791F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 030b26698bcd55af0c74ac2cdc39db42fbe39411f5b9d5a6b733ec65e3dbb376
                                                    • Instruction ID: 2c03a0320a1db135fe18c13fec5f85361b84f16e3120ef1faf49d0af76791d87
                                                    • Opcode Fuzzy Hash: 030b26698bcd55af0c74ac2cdc39db42fbe39411f5b9d5a6b733ec65e3dbb376
                                                    • Instruction Fuzzy Hash: 9AC13770D0022D8FDB20DFA8C945BEEBBB1BF49300F0495AAD549B7250DB749A85CF95
                                                    Function 014772CB Relevance: 1.6, APIs: 1, Instructions: 117injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 303 14772cb-147733b 306 1477352-14773b3 WriteProcessMemory 303->306 307 147733d-147734f 303->307 309 14773b5-14773bb 306->309 310 14773bc-147740e 306->310 307->306 309->310
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014773A3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 781600c51448dc9c924a614f83716f97f8054592b91ea239912f38de88f90fb9
                                                    • Instruction ID: ffdc8c22701c8375eacfb637cbd601ca05071d1a0b176487398ec14e5cd7c42b
                                                    • Opcode Fuzzy Hash: 781600c51448dc9c924a614f83716f97f8054592b91ea239912f38de88f90fb9
                                                    • Instruction Fuzzy Hash: 4B419AB5D012589FCF10CFA9D984ADEFBF1BB49310F14902AE819B7250D734AA45CF64
                                                    Function 014772D0 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 315 14772d0-147733b 317 1477352-14773b3 WriteProcessMemory 315->317 318 147733d-147734f 315->318 320 14773b5-14773bb 317->320 321 14773bc-147740e 317->321 318->317 320->321
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014773A3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: e0e62747fa54025153b9062c711a14f7eea6546245193a7d9a54e300aa9ef593
                                                    • Instruction ID: 600abfa9470c558cc9a88e8c9517776b6c9805b9d80b4cb234aebe150a41fde5
                                                    • Opcode Fuzzy Hash: e0e62747fa54025153b9062c711a14f7eea6546245193a7d9a54e300aa9ef593
                                                    • Instruction Fuzzy Hash: EF419BB5D012589FCF10CFA9D984ADEFBF1BB49310F14902AE819B7250D735AA45CF64
                                                    Function 01477420 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 326 1477420-14774ea ReadProcessMemory 330 14774f3-1477545 326->330 331 14774ec-14774f2 326->331 331->330
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014774DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: e80691b480a3a4f21ca530f9ddfd0e9e0feb246719bf9aed7777315f32527897
                                                    • Instruction ID: b8048f59e5a41e83dd4046b45261cd1f519566ed7bdc5303db1ce122e825fdef
                                                    • Opcode Fuzzy Hash: e80691b480a3a4f21ca530f9ddfd0e9e0feb246719bf9aed7777315f32527897
                                                    • Instruction Fuzzy Hash: 2F41C9B9D00258DFCF10CFA9D884AEEFBB1BB49310F10942AE819B7250D734A945CF69
                                                    Function 01477428 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 336 1477428-14774ea ReadProcessMemory 339 14774f3-1477545 336->339 340 14774ec-14774f2 336->340 340->339
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 014774DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 5c90095687f0e816e72ee8f576a2fdba40a3815673d330487af48a51ff67b0c2
                                                    • Instruction ID: 60aecb458aabe6eda2289218f0904d2f4963078da4d78af82642f04506a15854
                                                    • Opcode Fuzzy Hash: 5c90095687f0e816e72ee8f576a2fdba40a3815673d330487af48a51ff67b0c2
                                                    • Instruction Fuzzy Hash: 0741BAB5D04258DFCF10CFA9D984AEEFBB1BB49310F10942AE815B7210C735A945CF68
                                                    Function 014771AB Relevance: 1.6, APIs: 1, Instructions: 102memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 345 14771ab-147726a VirtualAllocEx 349 1477273-14772bd 345->349 350 147726c-1477272 345->350 350->349
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0147725A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 433168d31f448891832962cc00ca01e9e114dc945bd362ec27d484b89d5e594e
                                                    • Instruction ID: cbeb775294c56916d6a1771ef1d20e65dfb3f17e9b6e965d494569733d5a5ad8
                                                    • Opcode Fuzzy Hash: 433168d31f448891832962cc00ca01e9e114dc945bd362ec27d484b89d5e594e
                                                    • Instruction Fuzzy Hash: B73197B9D042589FCF10CFA9D984ADEFBB1BB49310F10902AE815B7210D735A946CFA8
                                                    Function 014771B0 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 355 14771b0-147726a VirtualAllocEx 358 1477273-14772bd 355->358 359 147726c-1477272 355->359 359->358
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0147725A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 5f24e0b67f5566e78c1a74c299a955f07ebd3fd90c559f697ee84a841b2d7ee0
                                                    • Instruction ID: c2be5d9e2599914cc6b3e8d807c31e45e7a3bef0b6935f008e8459363aeb1e1b
                                                    • Opcode Fuzzy Hash: 5f24e0b67f5566e78c1a74c299a955f07ebd3fd90c559f697ee84a841b2d7ee0
                                                    • Instruction Fuzzy Hash: 9631A8B8D042589FCF10CFA9D984ADEFBB1BB49310F10902AE815B7210D735A945CFA8
                                                    Function 01477080 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 364 1477080-14770e8 367 14770ff-1477147 Wow64SetThreadContext 364->367 368 14770ea-14770fc 364->368 370 1477150-147719c 367->370 371 1477149-147714f 367->371 368->367 371->370
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 01477137
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 9840af16d3e093aa21d52c529a589f3caa9fa1f1b04bf3994595edc4e7977b91
                                                    • Instruction ID: 9c034318134378226694a6ee71b7dc265c38da5816bf76d33e349104aa40e0f0
                                                    • Opcode Fuzzy Hash: 9840af16d3e093aa21d52c529a589f3caa9fa1f1b04bf3994595edc4e7977b91
                                                    • Instruction Fuzzy Hash: 0F41CBB5D002589FCB10CFA9D984AEEFBF1BB49310F14802AE459B7354D738A985CFA4
                                                    Function 01477088 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 376 1477088-14770e8 378 14770ff-1477147 Wow64SetThreadContext 376->378 379 14770ea-14770fc 376->379 381 1477150-147719c 378->381 382 1477149-147714f 378->382 379->378 382->381
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,?), ref: 01477137
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: f9878a359f808c6db7de7b1f50327810616bc47880c1b5aed16d3014b7946d71
                                                    • Instruction ID: 4cfec5ad4afaef06be74df2006f0ada96fbb6ec35b0480eb21337dfd7db1690f
                                                    • Opcode Fuzzy Hash: f9878a359f808c6db7de7b1f50327810616bc47880c1b5aed16d3014b7946d71
                                                    • Instruction Fuzzy Hash: 9C31BCB4D002589FCB14DFA9D984AEEFBF1BB49310F14802AE418B7350D738A985CF54
                                                    Function 01476F90 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 387 1476f90-1477026 ResumeThread 391 147702f-1477071 387->391 392 1477028-147702e 387->392 392->391
                                                    APIs
                                                    • ResumeThread.KERNELBASE(?), ref: 01477016
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 1d78e3b8b68638c5e2e0b528d165eb402374bed982eb8078db710d4d7c2a35f6
                                                    • Instruction ID: 46b8e9044c13a583578531bc108e8f1be538010d1a103728e2db23562d4713b5
                                                    • Opcode Fuzzy Hash: 1d78e3b8b68638c5e2e0b528d165eb402374bed982eb8078db710d4d7c2a35f6
                                                    • Instruction Fuzzy Hash: EC31CEB4D012589FCB14DFA9D585ADEFBB5FB49310F10942AE819B7310C735A941CF98
                                                    Function 01476F98 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 397 1476f98-1477026 ResumeThread 400 147702f-1477071 397->400 401 1477028-147702e 397->401 401->400
                                                    APIs
                                                    • ResumeThread.KERNELBASE(?), ref: 01477016
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1688270845.0000000001470000.00000040.00000800.00020000.00000000.sdmp, Offset: 01470000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1470000_MV.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 9d5cc8fe640400d4601e09d9d43f449538b222bce2e8a89333d7c9a8f55caa6a
                                                    • Instruction ID: 86115d88f0fa21a39d273f351f0258a219811f5b0efe674d643bf557afbbc05d
                                                    • Opcode Fuzzy Hash: 9d5cc8fe640400d4601e09d9d43f449538b222bce2e8a89333d7c9a8f55caa6a
                                                    • Instruction Fuzzy Hash: 4731ACB4D012589FCB14CFA9D984ADEFBB5AB49310F10942AE419B7350C735A945CF94

                                                    Execution Graph

                                                    Execution Coverage:13%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:28.3%
                                                    Total number of Nodes:53
                                                    Total number of Limit Nodes:6
                                                    execution_graph 22708 14646d8 22709 14646e4 22708->22709 22712 1467d10 22709->22712 22710 1464713 22713 1467d2c 22712->22713 22717 1467f37 22713->22717 22727 1467f48 22713->22727 22714 1467d38 22714->22710 22718 1467f48 22717->22718 22719 1468036 22718->22719 22737 146ee42 22718->22737 22743 146eef9 22718->22743 22749 146f128 22718->22749 22755 146ee98 22718->22755 22761 146ef08 22718->22761 22765 146f50c 22718->22765 22771 146ee71 22718->22771 22719->22714 22728 1467f6a 22727->22728 22729 1468036 22728->22729 22730 146ee42 2 API calls 22728->22730 22731 146ee71 2 API calls 22728->22731 22732 146f50c 2 API calls 22728->22732 22733 146ef08 LdrInitializeThunk 22728->22733 22734 146ee98 2 API calls 22728->22734 22735 146f128 2 API calls 22728->22735 22736 146eef9 2 API calls 22728->22736 22729->22714 22730->22729 22731->22729 22732->22729 22733->22729 22734->22729 22735->22729 22736->22729 22742 146ee78 22737->22742 22738 146eeb0 22738->22719 22739 146f504 LdrInitializeThunk 22739->22738 22741 146ef08 LdrInitializeThunk 22741->22742 22742->22738 22742->22739 22742->22741 22745 146eefc 22743->22745 22744 146ef1a 22744->22719 22745->22744 22746 146f504 LdrInitializeThunk 22745->22746 22748 146ef08 LdrInitializeThunk 22745->22748 22746->22744 22748->22745 22750 146f129 22749->22750 22751 146f2b9 22750->22751 22752 146f504 LdrInitializeThunk 22750->22752 22754 146ef08 LdrInitializeThunk 22750->22754 22751->22719 22752->22751 22754->22750 22759 146ee78 22755->22759 22756 146eeb0 22756->22719 22757 146f504 LdrInitializeThunk 22757->22756 22759->22756 22759->22757 22760 146ef08 LdrInitializeThunk 22759->22760 22760->22759 22764 146ef09 22761->22764 22762 146ef1a 22762->22719 22763 146f649 LdrInitializeThunk 22763->22762 22764->22762 22764->22763 22769 146f3c3 22765->22769 22766 146f504 LdrInitializeThunk 22768 146f661 22766->22768 22768->22719 22769->22766 22770 146ef08 LdrInitializeThunk 22769->22770 22770->22769 22776 146ee78 22771->22776 22772 146eeb0 22772->22719 22773 146f504 LdrInitializeThunk 22773->22772 22775 146ef08 LdrInitializeThunk 22775->22776 22776->22772 22776->22773 22776->22775

                                                    Executed Functions

                                                    Function 05D4A8A0 Relevance: 12.1, Strings: 9, Instructions: 880COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (o^q$(o^q$(o^q$(o^q$(o^q$(o^q$(o^q$,bq$,bq
                                                    • API String ID: 0-2735749406
                                                    • Opcode ID: d82b8fbb38d17f6c4ebf43807f22da1de4496dd7ebd219882b70437507cc5b8a
                                                    • Instruction ID: 8fd85217f87cda6bd6e13230590155c5e23cfb9ed926bb7471bb41379a01a425
                                                    • Opcode Fuzzy Hash: d82b8fbb38d17f6c4ebf43807f22da1de4496dd7ebd219882b70437507cc5b8a
                                                    • Instruction Fuzzy Hash: C2823C31A04209DFDB15CF69C988AAEBBF2FF48314F15855AE456AB2A1DB30ED41CF50
                                                    Function 05D49B40 Relevance: 8.4, Strings: 6, Instructions: 893COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (o^q$(o^q$(o^q$,bq$,bq$Hbq
                                                    • API String ID: 0-56095411
                                                    • Opcode ID: 5a15299d476d08154ebd528fdae52dba639c4738455451f7f1306a241e131478
                                                    • Instruction ID: 5eb60ec166312ba58282b0ae5d74c73544fbab52d468bae906c091bf0393a072
                                                    • Opcode Fuzzy Hash: 5a15299d476d08154ebd528fdae52dba639c4738455451f7f1306a241e131478
                                                    • Instruction Fuzzy Hash: F7724D70A402199FDB15CF69C894AAEBBF7BF88300F14846AE855AB3A5DB30DD41CF50
                                                    Function 0146F128 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2196 146f128-146f157 2198 146f15e-146f1f4 call 1468e48 2196->2198 2199 146f159 2196->2199 2205 146f293-146f299 2198->2205 2199->2198 2206 146f29f-146f2b7 2205->2206 2207 146f1f9-146f20c 2205->2207 2208 146f2cb-146f2de 2206->2208 2209 146f2b9-146f2c6 2206->2209 2210 146f213-146f264 2207->2210 2211 146f20e 2207->2211 2213 146f2e5-146f301 2208->2213 2214 146f2e0 2208->2214 2212 146f661-146f75f 2209->2212 2228 146f266-146f274 2210->2228 2229 146f277-146f289 2210->2229 2211->2210 2219 146f767-146f771 2212->2219 2220 146f761-146f766 call 1468e48 2212->2220 2216 146f303 2213->2216 2217 146f308-146f32c 2213->2217 2214->2213 2216->2217 2225 146f333-146f365 2217->2225 2226 146f32e 2217->2226 2220->2219 2234 146f367 2225->2234 2235 146f36c-146f3ae 2225->2235 2226->2225 2228->2206 2231 146f290 2229->2231 2232 146f28b 2229->2232 2231->2205 2232->2231 2234->2235 2237 146f3b5-146f3be 2235->2237 2238 146f3b0 2235->2238 2239 146f5e6-146f5ec 2237->2239 2238->2237 2240 146f5f2-146f605 2239->2240 2241 146f3c3-146f3e8 2239->2241 2244 146f607 2240->2244 2245 146f60c-146f627 2240->2245 2242 146f3ef-146f426 2241->2242 2243 146f3ea 2241->2243 2253 146f42d-146f45f 2242->2253 2254 146f428 2242->2254 2243->2242 2244->2245 2246 146f62e-146f642 2245->2246 2247 146f629 2245->2247 2251 146f644 2246->2251 2252 146f649-146f65f LdrInitializeThunk 2246->2252 2247->2246 2251->2252 2252->2212 2256 146f4c3-146f4d6 2253->2256 2257 146f461-146f486 2253->2257 2254->2253 2260 146f4dd-146f502 2256->2260 2261 146f4d8 2256->2261 2258 146f48d-146f4bb 2257->2258 2259 146f488 2257->2259 2258->2256 2259->2258 2264 146f504-146f505 2260->2264 2265 146f511-146f549 2260->2265 2261->2260 2264->2240 2266 146f550-146f5b1 call 146ef08 2265->2266 2267 146f54b 2265->2267 2273 146f5b3 2266->2273 2274 146f5b8-146f5dc 2266->2274 2267->2266 2273->2274 2277 146f5e3 2274->2277 2278 146f5de 2274->2278 2277->2239 2278->2277
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2924433508.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_1460000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1b9024f6b005daa532fa09f41d663688fad048f65184a1a0494c2608b339d816
                                                    • Instruction ID: 0b3420e7cafa50c97337343e3686b7a8bc3d602e130484803241d530eec3fe26
                                                    • Opcode Fuzzy Hash: 1b9024f6b005daa532fa09f41d663688fad048f65184a1a0494c2608b339d816
                                                    • Instruction Fuzzy Hash: DEF11674E01218CFDB14CFA9D894B9DBBB6BF88304F14C1AAE448AB365DB309985CF51
                                                    Function 05D47620 Relevance: .7, Instructions: 745COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6810f18fec5ae5eab8a4b73d208bd14ec3e9c7a917667e050f0df0876734a574
                                                    • Instruction ID: 63458e4094e317de06cda2268a0ee34611d2b6561a714cbb44181c6d0477179e
                                                    • Opcode Fuzzy Hash: 6810f18fec5ae5eab8a4b73d208bd14ec3e9c7a917667e050f0df0876734a574
                                                    • Instruction Fuzzy Hash: 7C826D74E012288FDB64DF69C998BDDBBB2BB89300F1081EA941DA7265DB315EC5CF41
                                                    Function 01467F48 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2924433508.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_1460000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d2b379cd51984cff1a495464679f123a54533e2b9fabc1b77a4d9b92821748cb
                                                    • Instruction ID: 91baebd83a730a1b249ef5ceaa5cfbd408a8498be6472bc5b1203b392d968ba6
                                                    • Opcode Fuzzy Hash: d2b379cd51984cff1a495464679f123a54533e2b9fabc1b77a4d9b92821748cb
                                                    • Instruction Fuzzy Hash: 46C1A174E01218CFDB14DFA9D994B9DBBB2FB88304F1480AAD819A7364DB359E85CF11
                                                    Function 014684F8 Relevance: .2, Instructions: 233COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2924433508.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_1460000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d18a2fdb2ba5ff1c4b0bb6545d03d575d7cda35699735d98ecb444f91555c196
                                                    • Instruction ID: 56629195d0e74f426f78cd5aad6019aaaa2d4d238cfd003a3f9cb9560740ffb2
                                                    • Opcode Fuzzy Hash: d18a2fdb2ba5ff1c4b0bb6545d03d575d7cda35699735d98ecb444f91555c196
                                                    • Instruction Fuzzy Hash: 52A12570D002098FEB14DFA9D984BADBFB1FF88304F24926AE508A73A1DB745985CF55
                                                    Function 01468508 Relevance: .2, Instructions: 220COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2924433508.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_1460000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 443e243190437801425a1f0a6e95f5c5a8ab4952f025c3739b0081a49730aee5
                                                    • Instruction ID: 36976c4416662c67c76ad78d4276571fca6feec6889cf150a61714c81d4244a0
                                                    • Opcode Fuzzy Hash: 443e243190437801425a1f0a6e95f5c5a8ab4952f025c3739b0081a49730aee5
                                                    • Instruction Fuzzy Hash: 4EA11370D00209CFEB14DFA9D988B9DBBB1FF88304F24926AE509A73A1DB745984CF55
                                                    Function 0146884F Relevance: .2, Instructions: 202COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2924433508.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_1460000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eaa68f6db9f5af0a3c719410b6879f770d0d9de631c065138e249e68a627c176
                                                    • Instruction ID: 3f34b12b0e4bb26330b5f804e6f87787aeedbe54bd088f8a2d1ecd0ff058a08c
                                                    • Opcode Fuzzy Hash: eaa68f6db9f5af0a3c719410b6879f770d0d9de631c065138e249e68a627c176
                                                    • Instruction Fuzzy Hash: 0F910370D00309CFDB10DFA9D984BADBBB1FF48304F20926AE509A72A1DB749984CF15
                                                    Function 05D4B968 Relevance: 3.3, Strings: 2, Instructions: 786COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1513 5d4b968-5d4b99f 1517 5d4b9a1-5d4ba0b 1513->1517 1518 5d4ba0c-5d4be56 1513->1518 1517->1518 1591 5d4be5c-5d4be6c 1518->1591 1592 5d4c3a8-5d4c3dd 1518->1592 1591->1592 1593 5d4be72-5d4be82 1591->1593 1597 5d4c3df-5d4c3e4 1592->1597 1598 5d4c3e9-5d4c407 1592->1598 1593->1592 1594 5d4be88-5d4be98 1593->1594 1594->1592 1596 5d4be9e-5d4beae 1594->1596 1596->1592 1599 5d4beb4-5d4bec4 1596->1599 1600 5d4c4ce-5d4c4d3 1597->1600 1610 5d4c47e-5d4c48a 1598->1610 1611 5d4c409-5d4c413 1598->1611 1599->1592 1601 5d4beca-5d4beda 1599->1601 1601->1592 1603 5d4bee0-5d4bef0 1601->1603 1603->1592 1604 5d4bef6-5d4bf06 1603->1604 1604->1592 1606 5d4bf0c-5d4bf1c 1604->1606 1606->1592 1607 5d4bf22-5d4bf32 1606->1607 1607->1592 1609 5d4bf38-5d4c3a7 1607->1609 1615 5d4c4a1-5d4c4ad 1610->1615 1616 5d4c48c-5d4c498 1610->1616 1611->1610 1617 5d4c415-5d4c421 1611->1617 1625 5d4c4c4-5d4c4c6 1615->1625 1626 5d4c4af-5d4c4bb 1615->1626 1616->1615 1624 5d4c49a-5d4c49f 1616->1624 1622 5d4c446-5d4c449 1617->1622 1623 5d4c423-5d4c42e 1617->1623 1628 5d4c460-5d4c46c 1622->1628 1629 5d4c44b-5d4c457 1622->1629 1623->1622 1635 5d4c430-5d4c43a 1623->1635 1624->1600 1625->1600 1626->1625 1637 5d4c4bd-5d4c4c2 1626->1637 1633 5d4c4d4-5d4c520 1628->1633 1634 5d4c46e-5d4c475 1628->1634 1629->1628 1641 5d4c459-5d4c45e 1629->1641 1725 5d4c523 call 5d4c698 1633->1725 1726 5d4c523 call 5d4c6a8 1633->1726 1634->1633 1638 5d4c477-5d4c47c 1634->1638 1635->1622 1645 5d4c43c-5d4c441 1635->1645 1637->1600 1638->1600 1641->1600 1645->1600 1647 5d4c529-5d4c530 1648 5d4c532-5d4c53d 1647->1648 1649 5d4c543-5d4c54e 1647->1649 1648->1649 1654 5d4c5c6-5d4c618 1648->1654 1655 5d4c554-5d4c5b1 1649->1655 1656 5d4c61f-5d4c64b 1649->1656 1654->1656 1665 5d4c5ba-5d4c5c3 1655->1665 1725->1647 1726->1647
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: $^q$$^q
                                                    • API String ID: 0-355816377
                                                    • Opcode ID: 762cd8989a3d76d58d7728c4aaf3428c15c4f5b5ac948024f4845b1e6e83f036
                                                    • Instruction ID: ac3d0b44df20329a9af3864637270c6c8aa7707b7c6cf49e153385e8998e4d3a
                                                    • Opcode Fuzzy Hash: 762cd8989a3d76d58d7728c4aaf3428c15c4f5b5ac948024f4845b1e6e83f036
                                                    • Instruction Fuzzy Hash: 8C623F74A002198FDB159FA5C8A4BAEBF76FB94300F1080AED10A6B3A5CF359D85DF51
                                                    Function 05D49260 Relevance: 2.8, Strings: 2, Instructions: 341COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1727 5d49260-5d49282 1728 5d49284-5d49288 1727->1728 1729 5d49298-5d492a3 1727->1729 1730 5d492b0-5d492b7 1728->1730 1731 5d4928a-5d49296 1728->1731 1732 5d492a9-5d492ab 1729->1732 1733 5d4934b-5d49377 1729->1733 1734 5d492d7-5d492e0 1730->1734 1735 5d492b9-5d492c0 1730->1735 1731->1729 1731->1730 1736 5d49343-5d49348 1732->1736 1741 5d4937e-5d493d6 1733->1741 1837 5d492e2 call 5d49250 1734->1837 1838 5d492e2 call 5d49260 1734->1838 1735->1734 1738 5d492c2-5d492cd 1735->1738 1740 5d492d3-5d492d5 1738->1740 1738->1741 1739 5d492e8-5d492ea 1742 5d492f2-5d492fa 1739->1742 1743 5d492ec-5d492f0 1739->1743 1740->1736 1759 5d493e5-5d493f6 call 5d45b70 1741->1759 1760 5d493d8-5d493de 1741->1760 1746 5d492fc-5d49301 1742->1746 1747 5d49309-5d4930b 1742->1747 1743->1742 1745 5d4930d-5d4931e 1743->1745 1839 5d49321 call 5d49b40 1745->1839 1840 5d49321 call 5d49b31 1745->1840 1746->1747 1747->1736 1750 5d49327-5d4932c 1753 5d49341 1750->1753 1754 5d4932e-5d49337 1750->1754 1753->1736 1832 5d49339 call 5d4c59d 1754->1832 1833 5d49339 call 5d4b968 1754->1833 1834 5d49339 call 5d4b959 1754->1834 1756 5d4933f 1756->1736 1763 5d493fc-5d49400 1759->1763 1764 5d4948a-5d4948c 1759->1764 1760->1759 1765 5d49410-5d4941d 1763->1765 1766 5d49402-5d4940e 1763->1766 1830 5d4948e call 5d49250 1764->1830 1831 5d4948e call 5d49260 1764->1831 1772 5d4941f-5d49429 1765->1772 1766->1772 1767 5d49494-5d4949a 1769 5d494a6-5d494ad 1767->1769 1770 5d4949c-5d494a2 1767->1770 1773 5d494a4 1770->1773 1774 5d49508-5d49567 1770->1774 1777 5d49456-5d4945a 1772->1777 1778 5d4942b-5d4943a 1772->1778 1773->1769 1787 5d4956e-5d4959e 1774->1787 1780 5d49466-5d4946a 1777->1780 1781 5d4945c-5d49462 1777->1781 1789 5d4943c-5d49443 1778->1789 1790 5d4944a-5d49454 1778->1790 1780->1769 1782 5d4946c-5d49470 1780->1782 1784 5d49464 1781->1784 1785 5d494b0-5d49501 1781->1785 1786 5d49476-5d49488 1782->1786 1782->1787 1784->1769 1785->1774 1786->1769 1801 5d495a0-5d495ad 1787->1801 1802 5d495c3-5d495d0 1787->1802 1789->1790 1790->1777 1807 5d495bf-5d495c1 1801->1807 1808 5d495af-5d495bd 1801->1808 1810 5d495d2-5d495dc 1802->1810 1807->1810 1808->1810 1815 5d49604 1810->1815 1816 5d495de-5d495ec 1810->1816 1835 5d49606 call 5d49710 1815->1835 1836 5d49606 call 5d49720 1815->1836 1821 5d495ee-5d495f2 1816->1821 1822 5d495f9-5d49602 1816->1822 1819 5d4960c-5d49610 1823 5d49612-5d49627 1819->1823 1824 5d49629-5d4962d 1819->1824 1821->1822 1822->1815 1826 5d4964b-5d49651 1823->1826 1825 5d4962f-5d49644 1824->1825 1824->1826 1825->1826 1830->1767 1831->1767 1832->1756 1833->1756 1834->1756 1835->1819 1836->1819 1837->1739 1838->1739 1839->1750 1840->1750
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Hbq$Hbq
                                                    • API String ID: 0-4258043069
                                                    • Opcode ID: 72eb58b9cb472b77a578d7b61a142b70fa150118f1da93e1b37d3a819b7b2d33
                                                    • Instruction ID: 40eab65b1438c91d973c6aaa26e81ce46b1f6b5c4a8a88884d3a17b3d55afb07
                                                    • Opcode Fuzzy Hash: 72eb58b9cb472b77a578d7b61a142b70fa150118f1da93e1b37d3a819b7b2d33
                                                    • Instruction Fuzzy Hash: 0FC1B3303052558FDB159F6AD8A4A3F7BE6FB89200F18856AE94ACB394CF35CC41CB95
                                                    Function 05D49720 Relevance: 2.7, Strings: 2, Instructions: 230COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1921 5d49720-5d4972d 1922 5d49735-5d49737 1921->1922 1923 5d4972f-5d49733 1921->1923 1925 5d49948-5d4994f 1922->1925 1923->1922 1924 5d4973c-5d49747 1923->1924 1926 5d49950 1924->1926 1927 5d4974d-5d49754 1924->1927 1932 5d49955-5d4998d 1926->1932 1928 5d498e9-5d498ef 1927->1928 1929 5d4975a-5d49769 1927->1929 1930 5d498f5-5d498f9 1928->1930 1931 5d498f1-5d498f3 1928->1931 1929->1932 1933 5d4976f-5d4977e 1929->1933 1934 5d49946 1930->1934 1935 5d498fb-5d49901 1930->1935 1931->1925 1951 5d49996-5d4999a 1932->1951 1952 5d4998f-5d49994 1932->1952 1939 5d49780-5d49783 1933->1939 1940 5d49793-5d49796 1933->1940 1934->1925 1935->1926 1937 5d49903-5d49906 1935->1937 1937->1926 1941 5d49908-5d4991d 1937->1941 1942 5d49785-5d49788 1939->1942 1943 5d497a2-5d497a8 1939->1943 1940->1943 1944 5d49798-5d4979b 1940->1944 1958 5d49941-5d49944 1941->1958 1959 5d4991f-5d49925 1941->1959 1946 5d4978e 1942->1946 1947 5d49889-5d4988f 1942->1947 1953 5d497c0-5d497dd 1943->1953 1954 5d497aa-5d497b0 1943->1954 1948 5d4979d 1944->1948 1949 5d497ee-5d497f4 1944->1949 1955 5d498b4-5d498c1 1946->1955 1963 5d498a7-5d498b1 1947->1963 1964 5d49891-5d49897 1947->1964 1948->1955 1956 5d497f6-5d497fc 1949->1956 1957 5d4980c-5d4981e 1949->1957 1960 5d499a0-5d499a2 1951->1960 1952->1960 1992 5d497e6-5d497e9 1953->1992 1961 5d497b4-5d497be 1954->1961 1962 5d497b2 1954->1962 1982 5d498d5-5d498d7 1955->1982 1983 5d498c3-5d498c7 1955->1983 1968 5d49800-5d4980a 1956->1968 1969 5d497fe 1956->1969 1985 5d49820-5d4982c 1957->1985 1986 5d4982e-5d49851 1957->1986 1958->1925 1970 5d49937-5d4993a 1959->1970 1971 5d49927-5d49935 1959->1971 1972 5d499a4-5d499b6 1960->1972 1973 5d499b7-5d499be 1960->1973 1961->1953 1962->1953 1963->1955 1965 5d49899 1964->1965 1966 5d4989b-5d498a5 1964->1966 1965->1963 1966->1963 1968->1957 1969->1957 1970->1926 1974 5d4993c-5d4993f 1970->1974 1971->1926 1971->1970 1974->1958 1974->1959 1989 5d498db-5d498de 1982->1989 1983->1982 1988 5d498c9-5d498cd 1983->1988 1995 5d49879-5d49887 1985->1995 1986->1926 1997 5d49857-5d4985a 1986->1997 1988->1926 1993 5d498d3 1988->1993 1989->1926 1994 5d498e0-5d498e3 1989->1994 1992->1955 1993->1989 1994->1928 1994->1929 1995->1955 1997->1926 1999 5d49860-5d49872 1997->1999 1999->1995
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ,bq$,bq
                                                    • API String ID: 0-2699258169
                                                    • Opcode ID: 63202110ebb38ea3812e7449af4bc0eb456add15ef7878af993d1b232cfa463b
                                                    • Instruction ID: a85294894c1f53ccaab4793663a70c0c7953af8bc7608a9d30d2f329711cd2b4
                                                    • Opcode Fuzzy Hash: 63202110ebb38ea3812e7449af4bc0eb456add15ef7878af993d1b232cfa463b
                                                    • Instruction Fuzzy Hash: 6A815E35A04105DFCB14CF6EC8A4A6BBBB2BF89220B15816AD41AE7365DB31E841CF91
                                                    Function 0146F50C Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2279 146f50c 2280 146f5cb-146f5dc 2279->2280 2281 146f5e3-146f5ec 2280->2281 2282 146f5de 2280->2282 2284 146f5f2-146f605 2281->2284 2285 146f3c3-146f3e8 2281->2285 2282->2281 2288 146f607 2284->2288 2289 146f60c-146f627 2284->2289 2286 146f3ef-146f426 2285->2286 2287 146f3ea 2285->2287 2298 146f42d-146f45f 2286->2298 2299 146f428 2286->2299 2287->2286 2288->2289 2290 146f62e-146f642 2289->2290 2291 146f629 2289->2291 2295 146f644 2290->2295 2296 146f649-146f65f LdrInitializeThunk 2290->2296 2291->2290 2295->2296 2297 146f661-146f75f 2296->2297 2302 146f767-146f771 2297->2302 2303 146f761-146f766 call 1468e48 2297->2303 2304 146f4c3-146f4d6 2298->2304 2305 146f461-146f486 2298->2305 2299->2298 2303->2302 2310 146f4dd-146f502 2304->2310 2311 146f4d8 2304->2311 2308 146f48d-146f4bb 2305->2308 2309 146f488 2305->2309 2308->2304 2309->2308 2314 146f504-146f505 2310->2314 2315 146f511-146f549 2310->2315 2311->2310 2314->2284 2316 146f550-146f5b1 call 146ef08 2315->2316 2317 146f54b 2315->2317 2323 146f5b3 2316->2323 2324 146f5b8-146f5ca 2316->2324 2317->2316 2323->2324 2324->2280
                                                    APIs
                                                    • LdrInitializeThunk.NTDLL(00000000), ref: 0146F64E
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2924433508.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_1460000_MV.jbxd
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 707735181c6f321103c05d78e1a2ed9e0c9849653db1eeec4af3b43bd09a50b2
                                                    • Instruction ID: 4952082dee25b854c531cc84e3f9920d8da8e85c773f69ea86bada9b0e281715
                                                    • Opcode Fuzzy Hash: 707735181c6f321103c05d78e1a2ed9e0c9849653db1eeec4af3b43bd09a50b2
                                                    • Instruction Fuzzy Hash: 2C118474E011099FDB04DFA8E494EADBBB9FB88308F14D126E944E7262DB30AC46CF51
                                                    Function 05D4B428 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'^q
                                                    • API String ID: 0-1614139903
                                                    • Opcode ID: 246f5a8b2d615ea3b052aa292dc77503c6554876c546ec31dc1674f848013d83
                                                    • Instruction ID: 56e45507de25f185c3ba86a54cac8e59de1d3536a5ec4d14ee5439d1991ad6d0
                                                    • Opcode Fuzzy Hash: 246f5a8b2d615ea3b052aa292dc77503c6554876c546ec31dc1674f848013d83
                                                    • Instruction Fuzzy Hash: 414147746001099FDF04DF69D888AAA7BB6FB58315F00006AF91ACB3A1CB30DC91CF90
                                                    Function 05D4B760 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 4'^q
                                                    • API String ID: 0-1614139903
                                                    • Opcode ID: 0e1591ca6cc1372b4b72e1e54973aace7259bab06cdb4008964c5cbdcf9088fc
                                                    • Instruction ID: 5820f1677be81d836e1b8336852ec1f1f6394489bc15702344d406bfe31c0d82
                                                    • Opcode Fuzzy Hash: 0e1591ca6cc1372b4b72e1e54973aace7259bab06cdb4008964c5cbdcf9088fc
                                                    • Instruction Fuzzy Hash: 672194317082598BEF14CE6AAC8467B7FEAFBA5240B044427E856C7242DB35DC80CFA1
                                                    Function 05D4C6A8 Relevance: .4, Instructions: 402COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ca89f117527965d8cbb13ece140f9b4ac1981e2454df0f0b541096513dc83914
                                                    • Instruction ID: 2199a1a8e4c22d3f9c6231d12a05e93c4b6b53c94c00885a1c8e2a4f954888e7
                                                    • Opcode Fuzzy Hash: ca89f117527965d8cbb13ece140f9b4ac1981e2454df0f0b541096513dc83914
                                                    • Instruction Fuzzy Hash: F7F1FC75A11614DFCB14CFA9D5889ADBBF6BF88310B1980AAE415AB371DB31EC41CF60
                                                    Function 05D4B619 Relevance: .2, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01100e6ab910adc9600b6dde01228b62f86917ba734d25e5b62182a0df366b1c
                                                    • Instruction ID: 2db3d84a9689270eef7796019dfa80ce61a729f325f5b7cd9061aa9f9cff29ec
                                                    • Opcode Fuzzy Hash: 01100e6ab910adc9600b6dde01228b62f86917ba734d25e5b62182a0df366b1c
                                                    • Instruction Fuzzy Hash: 825158357142159FEF14DF39D884A3B7BEABF9864071944ABE44ACB361EB21EC01CB50
                                                    Function 05D47610 Relevance: .2, Instructions: 172COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ce6119329745d50b3f3307d27ff540bc82b2cbbf5c81362f3ee32ce4cce0434
                                                    • Instruction ID: 1e3150adeec0993a322025bb6023cc7a302e8f19c77641f2d021b0a1328f0fcf
                                                    • Opcode Fuzzy Hash: 6ce6119329745d50b3f3307d27ff540bc82b2cbbf5c81362f3ee32ce4cce0434
                                                    • Instruction Fuzzy Hash: 8281A474E062299FDB65DF25D980BEDBBB2BB89300F1080EAD85DA7250DB315E81CF41
                                                    Function 05D48988 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 13695aded9bc1b9188051f265214453afb2378814d490e8d65ff1a8286dd1d19
                                                    • Instruction ID: ff7f514209c6397bc98bdb38b18113f45e011a6b6d5966f161d5edf5c98f555e
                                                    • Opcode Fuzzy Hash: 13695aded9bc1b9188051f265214453afb2378814d490e8d65ff1a8286dd1d19
                                                    • Instruction Fuzzy Hash: 45319E3160520ADFCB05DF65D855A7F3FA2FB98240F04802AF9199B294CB79CD61DFA1
                                                    Function 05D4B858 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 31095d333fde71f6a879469af669a257cd0c545e6c4f5426faccc5bfd33d0dc8
                                                    • Instruction ID: 1c7278aade64d65cb01adb3ec20cfdb0814c925b30165b1b7648956762fe70f3
                                                    • Opcode Fuzzy Hash: 31095d333fde71f6a879469af669a257cd0c545e6c4f5426faccc5bfd33d0dc8
                                                    • Instruction Fuzzy Hash: 1B2192317082059BFF146A2AC85473E799BBFD4615F18803BD54ACB394EE75CC42EB85
                                                    Function 05D4B849 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea4491227194f9295490df32797c460a46cbcd7ddc9baea0139f3779ac655d85
                                                    • Instruction ID: 83bb3a3e4b6ca7564944e68e35207b2104e18c86739b775479f66432993fb614
                                                    • Opcode Fuzzy Hash: ea4491227194f9295490df32797c460a46cbcd7ddc9baea0139f3779ac655d85
                                                    • Instruction Fuzzy Hash: 3121C5313082058BEF156B3A889463D7AA7BFD5615B18407BE54ACB395EE35C842EB82
                                                    Function 05D4C698 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aab3c10d5c2584bdc9aa8562bc48c5e44c87b48027f22d02c450177cb45ffc75
                                                    • Instruction ID: aca6290e37d3f21a3ffddc3b4a65c50b34cd4dcc30a9f59382c768ad96a9eb17
                                                    • Opcode Fuzzy Hash: aab3c10d5c2584bdc9aa8562bc48c5e44c87b48027f22d02c450177cb45ffc75
                                                    • Instruction Fuzzy Hash: C6315275A106058FCB14DF69C8889AFBBF6FF88210B15855AE515973B1DB34DC41CF90
                                                    Function 0141D030 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2924128877.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_141d000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5455c55ba267f4f4523c2e454f349a13b6c0a945983c28d9039a9448a16d0b0b
                                                    • Instruction ID: de33875749a917b2715f0ba186a93f8506f8d09f49eb1e57066657fdc8df52f0
                                                    • Opcode Fuzzy Hash: 5455c55ba267f4f4523c2e454f349a13b6c0a945983c28d9039a9448a16d0b0b
                                                    • Instruction Fuzzy Hash: 412125F1904200DFCB15DF58D988B26BFA5EB84318F20C66ED80A4B36AC336D447CA62
                                                    Function 05D48978 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5266e4fee56031ac7ba8ad9ab2758b72de2c71c3ff698af9594ef47bee5e9582
                                                    • Instruction ID: 246be7706cb4d38ff651167390a6c526ec051e994b6d426c00552e909bf3e581
                                                    • Opcode Fuzzy Hash: 5266e4fee56031ac7ba8ad9ab2758b72de2c71c3ff698af9594ef47bee5e9582
                                                    • Instruction Fuzzy Hash: 7621DE326062499FDB01DF25D845B7B3FA2FB94350F04402AF8199B280CB78CEA1DBA1
                                                    Function 0141D006 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2924128877.000000000141D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0141D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_141d000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 780fc246396d6f358f44620235526ced279bef77e5a46127f454dbac1aa8424b
                                                    • Instruction ID: 192127c6cb7ffbdd2da938ab060520e6ed86759ba28f432d87aba40bf1965b0b
                                                    • Opcode Fuzzy Hash: 780fc246396d6f358f44620235526ced279bef77e5a46127f454dbac1aa8424b
                                                    • Instruction Fuzzy Hash: 5E216B7550D3C08FDB07CF64C994711BF71AB46214F29C5EBD8898F2A7C23A980ACB62
                                                    Function 05D4A158 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3a6dcbc37b694265ee5519bc7f6092f06a48a89b51d23e396819ee6e69c65e40
                                                    • Instruction ID: 0999b4e3b976f947ac07b5ee400bb5fed5645af1a83efc5dbf885f8085c3c4e2
                                                    • Opcode Fuzzy Hash: 3a6dcbc37b694265ee5519bc7f6092f06a48a89b51d23e396819ee6e69c65e40
                                                    • Instruction Fuzzy Hash: 8D21CA31A402489FDB20CF94C848FABBBF6FB44310F40856BE85A8B651E771E984CF90
                                                    Function 05D491D0 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cb4a0c41c02afc59c68859e17b4245a2a4eaa5056a44a7c327703539e66e67a0
                                                    • Instruction ID: 0a4fe34c3ec1382870e13da169caf735576829a1dd23e4dacf442381cd97e12d
                                                    • Opcode Fuzzy Hash: cb4a0c41c02afc59c68859e17b4245a2a4eaa5056a44a7c327703539e66e67a0
                                                    • Instruction Fuzzy Hash: DC01D632B001186BDB05DF5A9810ABF3FABEBC8A50F54802AF519D7284DE71CC118BA0
                                                    Function 05D491C0 Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd04b9953cb46a69fca47312e13ce01b3ffe14cfa17458daa72cd137aa64c424
                                                    • Instruction ID: 8cadd699c253851e517feb3c410996f86b6ce9f6a110de634edcbd521ae5bd9b
                                                    • Opcode Fuzzy Hash: dd04b9953cb46a69fca47312e13ce01b3ffe14cfa17458daa72cd137aa64c424
                                                    • Instruction Fuzzy Hash: ED01D6326041486BDB02DF56AC14FBB3FAAEBC4750F54802AF519C7140DB31D8119B90
                                                    Function 05D4FF70 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 28fd164409daf6cbd8f36f049e28d8779435cb42f3caf6cb7f6c08badb3e2284
                                                    • Instruction ID: 60a50323f4a4543d550603bae08673d938a34c207194118791a80ed56fa3a3b1
                                                    • Opcode Fuzzy Hash: 28fd164409daf6cbd8f36f049e28d8779435cb42f3caf6cb7f6c08badb3e2284
                                                    • Instruction Fuzzy Hash: F4E0DF306166048FD700AF78F40D3AA7BB8FB82201F414E3AF506A7618EF7598808BD7
                                                    Function 05D4FF80 Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c6317bab8246dda5b8736e11c1e989575dd24525c287e450002c2f6c545534b
                                                    • Instruction ID: 70e821aa7574c9f2e943cd5d8ad260f4bc8a024d76469c22f623552110d724b0
                                                    • Opcode Fuzzy Hash: 4c6317bab8246dda5b8736e11c1e989575dd24525c287e450002c2f6c545534b
                                                    • Instruction Fuzzy Hash: D4E0C2316156048FD7117F79F40815A7BF8FB86245F41063BE505A7358EF359C8087D6
                                                    Function 05D499C1 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f240217cca757302897d8e792a892140c2b77a89a026ff9739a6f962f16337e8
                                                    • Instruction ID: f36048b31d30d18c395136a157694d3e69dfe098d4eec5bc422f1c727cfd4f6c
                                                    • Opcode Fuzzy Hash: f240217cca757302897d8e792a892140c2b77a89a026ff9739a6f962f16337e8
                                                    • Instruction Fuzzy Hash: 66D02B3000B3884FF342E73FB801A627F59A791200F048568A0454626ACFB44CC98B81
                                                    Function 05D4C59D Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 09f5625ba3dd9172dc2f73e01d69157301ec99683a28e2ac6baef2022bc12673
                                                    • Instruction ID: f1a051ec26556dc75a803700dcd16631f130d0966052bb9a31193e7a17d0b286
                                                    • Opcode Fuzzy Hash: 09f5625ba3dd9172dc2f73e01d69157301ec99683a28e2ac6baef2022bc12673
                                                    • Instruction Fuzzy Hash: 49D0677AB40018DFCB049F99E840CDDFBB6FB98221B148126F925A3261CA31A925DB54
                                                    Function 05D499D0 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4d08ec338c9e7ec81abef966ec7a43383a2c7950daeee73d6d07b33ff6bbe5cf
                                                    • Instruction ID: b872e14ea068e5b522643c36e6b475174313c4c395a9407de9be5ad409050f7d
                                                    • Opcode Fuzzy Hash: 4d08ec338c9e7ec81abef966ec7a43383a2c7950daeee73d6d07b33ff6bbe5cf
                                                    • Instruction Fuzzy Hash: BEC0123045630D4EC641E76BE9455567F6EE6A0300B449570A0090A26DDF785CCA4A90

                                                    Non-executed Functions

                                                    Function 05D4CDC0 Relevance: .4, Instructions: 393COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7a4b6d30fc77c77b51001b612d159cf80bf04e7f972e243b155296421be0a17f
                                                    • Instruction ID: a2ee2726a5f6022fc4c24313bd9b304754fa00a3cf7c7eba251055950d61a686
                                                    • Opcode Fuzzy Hash: 7a4b6d30fc77c77b51001b612d159cf80bf04e7f972e243b155296421be0a17f
                                                    • Instruction Fuzzy Hash: D002C874A01218CFDB14DFA9C984B9DBBB2FF49300F1484AAD819AB365DB359D81CF50
                                                    Function 05D44718 Relevance: .3, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b819b6c41b27def91bf2689bdea02748728acd14f92c7170952618fb4a726fe
                                                    • Instruction ID: 984b75dc97bcb776c98a8333c6574c7b53f02f612b064bd3e38e86555f956030
                                                    • Opcode Fuzzy Hash: 9b819b6c41b27def91bf2689bdea02748728acd14f92c7170952618fb4a726fe
                                                    • Instruction Fuzzy Hash: D7E1C174E01218CFEB24DFA5D944B9DBBB2FF89304F2081AAD409A7394DB755A85CF11
                                                    Function 0146F7F8 Relevance: .3, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2924433508.0000000001460000.00000040.00000800.00020000.00000000.sdmp, Offset: 01460000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_1460000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 86d33ea4768722959d9b77c31abcfb3250361f406e6f482753e4f8fcb9b8f873
                                                    • Instruction ID: da99c3b04aa78229d618b208447fe51b18f790b83d825b5e2a5844587d1ae336
                                                    • Opcode Fuzzy Hash: 86d33ea4768722959d9b77c31abcfb3250361f406e6f482753e4f8fcb9b8f873
                                                    • Instruction Fuzzy Hash: F7D1B174E01218CFDB14DFA9D954B9DBBB2FB89304F2080AAD809AB365DB359D85CF11
                                                    Function 05D471C8 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a9da8bceff7f712642c09aa7d784a007388a1ebfb9c44bc4886980a4d1a6cff6
                                                    • Instruction ID: 23290f829ffee89cc9b3bb2d11c570e1f7b1b8490cdc78e6b81e8f90046d74ec
                                                    • Opcode Fuzzy Hash: a9da8bceff7f712642c09aa7d784a007388a1ebfb9c44bc4886980a4d1a6cff6
                                                    • Instruction Fuzzy Hash: DFC1A074E01218CFDB14DFA9D994B9DBBB2FB89300F1080AAD409AB364DB359E85CF51
                                                    Function 05D4F1F8 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b30808a14711139ae193025cd1cf7a2f8b18151ba5403c9f99a8d96c564c88e8
                                                    • Instruction ID: 516b7b25963da73940f220e1fb29dc598353d9fad80a96f89f651feac92119d5
                                                    • Opcode Fuzzy Hash: b30808a14711139ae193025cd1cf7a2f8b18151ba5403c9f99a8d96c564c88e8
                                                    • Instruction Fuzzy Hash: 6BC19074E01218CFDB14DFA9D994B9DBBB2EB89300F1080AAD409AB365DB359E85CF11
                                                    Function 05D435B8 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ee858d3e2f605f1aac7367c5f872faa097be5ac92d627b99739e3729c01f3cef
                                                    • Instruction ID: 3fab9ff8e8d72cc7d81294d738d33089e84ce07810253cd3143822553f79c940
                                                    • Opcode Fuzzy Hash: ee858d3e2f605f1aac7367c5f872faa097be5ac92d627b99739e3729c01f3cef
                                                    • Instruction Fuzzy Hash: 31C1A074E01218CFDB14DFA9D954B9DBBB2FB89300F2084AAD809A7364DB359E85CF11
                                                    Function 05D4EDA0 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0b6d176805d6d3a4c7f8d5de38006ee1e5c497e032421c4ea72a26b8a77f443c
                                                    • Instruction ID: b161e38a596024860afbe1872c5b18e16b9228fecf1f12053fb31f82caa7785d
                                                    • Opcode Fuzzy Hash: 0b6d176805d6d3a4c7f8d5de38006ee1e5c497e032421c4ea72a26b8a77f443c
                                                    • Instruction Fuzzy Hash: F6C18F74E01218CFDB14DFA9D994B9DBBB2FB89300F1080AAD409AB365DB359E85CF51
                                                    Function 05D4E948 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34d0256e6b719b042e00997047059ef310f10f08a1d91a1fa7154eeabcf88a8a
                                                    • Instruction ID: e8ad6030041b1ea96b38f5158771c102c32b139bc0848aaf1497e7d03714bb7b
                                                    • Opcode Fuzzy Hash: 34d0256e6b719b042e00997047059ef310f10f08a1d91a1fa7154eeabcf88a8a
                                                    • Instruction Fuzzy Hash: 63C1AF74E01218DFDB14DFA9D994B9DBBB2FB89300F1080AAD409AB365DB359E85CF11
                                                    Function 05D46D70 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4be4d06c6b686a3975132881c1f7fc1202756ea2d71d00a11431c55f7483bb4e
                                                    • Instruction ID: 3cabbb66eef193c430000f95c453f086e78958ea652c250d4cbf088d0be61394
                                                    • Opcode Fuzzy Hash: 4be4d06c6b686a3975132881c1f7fc1202756ea2d71d00a11431c55f7483bb4e
                                                    • Instruction Fuzzy Hash: 30C19074E01218CFDB14DFA5D994B9DBBB2EB89300F1080AAD419AB364DB359E85CF51
                                                    Function 05D43160 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61b6b5b2f993ec4ce3b2795092605f00c5358764ea7813776c4d893c7888486c
                                                    • Instruction ID: e82a2fb3c0a53fcb6e1454142f847e8de261ba57e6161ceaf6687a8554335cf2
                                                    • Opcode Fuzzy Hash: 61b6b5b2f993ec4ce3b2795092605f00c5358764ea7813776c4d893c7888486c
                                                    • Instruction Fuzzy Hash: FEC19274E01218CFDB14DFA9D954B9DBBB2FB89300F1084AAD809A7364DB359E85CF11
                                                    Function 05D46918 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6dced24ec4c90192c33a0b3a0d3ca7dd1a2c339f89097f631cc9fd2e7a8696f2
                                                    • Instruction ID: 618c3bf41688aa50a715242b03dd75482732309dc2d27a4fd9f3c7ddec18b998
                                                    • Opcode Fuzzy Hash: 6dced24ec4c90192c33a0b3a0d3ca7dd1a2c339f89097f631cc9fd2e7a8696f2
                                                    • Instruction Fuzzy Hash: 0FC19174E01218CFDB14DFA5D994B9DBBB2EB89304F1080AAD409AB364DB359E85CF11
                                                    Function 05D464C0 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1da1437badc266ebc494d875478eeb91b350897c1c3178b361500c38f45d3bfb
                                                    • Instruction ID: fb8c3e9bb2e73481c7459ba485b55c981a12855011b7fdd94d8149cb4b6d13d8
                                                    • Opcode Fuzzy Hash: 1da1437badc266ebc494d875478eeb91b350897c1c3178b361500c38f45d3bfb
                                                    • Instruction Fuzzy Hash: 81C18F74E01218CFDB14DFA9D994B9DBBB2EB89300F1080AAD419AB364DB359E85CF11
                                                    Function 05D4E4F0 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8f7250612c26ec2a338bffe3fb97548138fa8dede149b0acdef75f3e5cc91f0
                                                    • Instruction ID: 3db8407debb434a444700967537b2a99c271a967ac49ee1bcf44b64da59979f1
                                                    • Opcode Fuzzy Hash: d8f7250612c26ec2a338bffe3fb97548138fa8dede149b0acdef75f3e5cc91f0
                                                    • Instruction Fuzzy Hash: 50C19074E01218DFDB14DFA9D994B9DBBB2FB89300F1080AAD409AB365DB359E85CF11
                                                    Function 05D4E098 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9a07b8f2bebbd14f30d314395246a93d18056a4e2938ef5abb957d57e7e621a1
                                                    • Instruction ID: ad9c24400947f4d37beace7facd7ff1f60e6d7b05934605f416041a760272834
                                                    • Opcode Fuzzy Hash: 9a07b8f2bebbd14f30d314395246a93d18056a4e2938ef5abb957d57e7e621a1
                                                    • Instruction Fuzzy Hash: A8C1AF74E01218DFDB14DFA9D994B9DBBB2FB89300F1080AAD409AB364DB359E85CF11
                                                    Function 05D4DC40 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bc08c2efa3ee12d347fcebb0fe8bdb632ea658edc19a4632ad815ee7c4c7d622
                                                    • Instruction ID: e2ac9a9c02d36132f7fb9c4ba38ef6ebbf704b6722499bd02933b24600857197
                                                    • Opcode Fuzzy Hash: bc08c2efa3ee12d347fcebb0fe8bdb632ea658edc19a4632ad815ee7c4c7d622
                                                    • Instruction Fuzzy Hash: E8C1A074E01218CFDB14DFA9D994B9DBBB2FB89300F1080AAD419AB365DB359E85CF11
                                                    Function 05D46068 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f34658e1f7d75cdd91e9ddc8b44ccd8199ea905b459fc09d457447e8c0854420
                                                    • Instruction ID: ca723babc9ebebaffb9810733670d80efd71ba33ffd2c197423d79dccb14ed06
                                                    • Opcode Fuzzy Hash: f34658e1f7d75cdd91e9ddc8b44ccd8199ea905b459fc09d457447e8c0854420
                                                    • Instruction Fuzzy Hash: 39C19074E01218CFDB14DFA5D994B9DBBB2EB89300F1080AAD409AB365DB359E85CF11
                                                    Function 05D45C10 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18dee874e14c5c86525598d702dd3ab7c620cf4c92b28b36e1e23748a53207ab
                                                    • Instruction ID: 2fbf46586421c2a972ca0262808378b12aabe91e6f04a09bd66bbca9c799f084
                                                    • Opcode Fuzzy Hash: 18dee874e14c5c86525598d702dd3ab7c620cf4c92b28b36e1e23748a53207ab
                                                    • Instruction Fuzzy Hash: 3EC19174E01218CFDB14DFA5D994B9DBBB2EF89300F1081AAD409AB364DB359E85CF11
                                                    Function 05D4D7E8 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cfadc9ad0e200d0eea22087eb41265897245de4995a581e963690516387e7c9b
                                                    • Instruction ID: daef3ed75c3f6fd81cf2e899e9993635c490956b9f384551e12f74eeb518634f
                                                    • Opcode Fuzzy Hash: cfadc9ad0e200d0eea22087eb41265897245de4995a581e963690516387e7c9b
                                                    • Instruction Fuzzy Hash: 23C18074E01218CFDB14DFA9D994B9DBBB2EF89300F1081AAD409AB365DB359E85CF11
                                                    Function 05D4D390 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 89bf92d42445168d2a0c30f9d18ca9575ee33c772088670c6c592e99319f827e
                                                    • Instruction ID: 14494e3a07891d16777e5674523af1b24a4754f96c36b63b78a4d218875a72e4
                                                    • Opcode Fuzzy Hash: 89bf92d42445168d2a0c30f9d18ca9575ee33c772088670c6c592e99319f827e
                                                    • Instruction Fuzzy Hash: A8C1A274E01218CFDB14DFA5D954B9DBBB2EF89304F2080AAD409AB364DB359E85CF51
                                                    Function 05D442C0 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01dbada8c94d5b81d482f2f6b659f41223c7254223b8e40d2edfe4c3f4797c77
                                                    • Instruction ID: ccfebdb91d634909da962b27c6a7f88f5f9f11d0a54855900b030fefd0f8879b
                                                    • Opcode Fuzzy Hash: 01dbada8c94d5b81d482f2f6b659f41223c7254223b8e40d2edfe4c3f4797c77
                                                    • Instruction Fuzzy Hash: 4AC18074E01218CFDB14DFA5D994B9DBBB2FB89304F2081AAD809A7364DB359E85CF11
                                                    Function 05D4FAA8 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f6ee8934e2939d0e36c547ea09c251b89763414ab6535b9344ff30417356f093
                                                    • Instruction ID: 1a5f40a596c6a241d5a1f15573ca7b8bc467a706cedeb615e39b16014685f482
                                                    • Opcode Fuzzy Hash: f6ee8934e2939d0e36c547ea09c251b89763414ab6535b9344ff30417356f093
                                                    • Instruction Fuzzy Hash: 1CC19174E01218CFDB14DFA9D994B9DBBB2EF89300F1080AAD409AB365DB359E85CF11
                                                    Function 05D4F650 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93cda576adc96ab956d8348083e9c033845821d05d47bbe7fa0489201037fcd5
                                                    • Instruction ID: 911f29446bd170cef612b578802cda49e328f6d2aabf26bac1389ebf34f29b05
                                                    • Opcode Fuzzy Hash: 93cda576adc96ab956d8348083e9c033845821d05d47bbe7fa0489201037fcd5
                                                    • Instruction Fuzzy Hash: 86C19074E01218CFDB14DFA9D994B9DBBB2EF89304F1080AAD409AB365DB359E85CF11
                                                    Function 05D43E68 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c48ce2b1ed635196dd79bdcf28642ba0f931d758ee1d326e7316970288a6d963
                                                    • Instruction ID: b4a76f16032e9b6223856addd4509f98c3393dcf77a77afb98ae4aec1d448b83
                                                    • Opcode Fuzzy Hash: c48ce2b1ed635196dd79bdcf28642ba0f931d758ee1d326e7316970288a6d963
                                                    • Instruction Fuzzy Hash: CCC19074E01218CFDB14DFA9D994B9DBBB2FB89304F1080AAD819A7364DB359E85CF11
                                                    Function 05D43A10 Relevance: .3, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2ec187075a1167af663562de0a4f4530a7823fad09c44eda561563269b908f96
                                                    • Instruction ID: 3a79e2d66eee97568a2b02c5a4f9562047a3fcd6184ff62e2720f31618896034
                                                    • Opcode Fuzzy Hash: 2ec187075a1167af663562de0a4f4530a7823fad09c44eda561563269b908f96
                                                    • Instruction Fuzzy Hash: 92C19174E01218CFDB14DFA9D994B9DBBB2FB89300F2085AAD809A7354DB359E85CF11
                                                    Function 05D45E55 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cc3e075b489d6a06743b90139453cbe68c94b90ad4c0bce16161312cf190085a
                                                    • Instruction ID: 1a6ed9a02854461e5dc72c1ff0d3c9aa0c667a871035d258a045d84c700cd194
                                                    • Opcode Fuzzy Hash: cc3e075b489d6a06743b90139453cbe68c94b90ad4c0bce16161312cf190085a
                                                    • Instruction Fuzzy Hash: E4310774E01218DFDB15DFA4D994BADBBB2EB89300F1080A6E80977394C7359E85CF11
                                                    Function 05D4A890 Relevance: 5.3, Strings: 4, Instructions: 272COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.2926779761.0000000005D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05D40000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_1_2_5d40000_MV.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: (o^q$(o^q$(o^q$(o^q
                                                    • API String ID: 0-1978863864
                                                    • Opcode ID: 9ce12118039a540c307e5f25e40d4155b65f26702db6ee8dbdeaa964977f1915
                                                    • Instruction ID: 707b0171801071aff7a14c29e05b96d3958cdd134b7613adc4be7843816db9f5
                                                    • Opcode Fuzzy Hash: 9ce12118039a540c307e5f25e40d4155b65f26702db6ee8dbdeaa964977f1915
                                                    • Instruction Fuzzy Hash: 2AC13830A402589FCB14CFA9C984AAEBBF3BF48314F15855AE85AAB261D730ED41CF50