Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CswRsjV3kH.exe

Overview

General Information

Sample name:CswRsjV3kH.exe
renamed because original name is a hash value
Original sample name:3E6CD9723E292652064FC1A06D75CBE4.exe
Analysis ID:1429015
MD5:3e6cd9723e292652064fc1a06d75cbe4
SHA1:f1f8ab71fa3dd76b0491c4b5133fdeb2f9fae162
SHA256:9172b16ccd9506d70f0ef99e07853e683f700a0b79f83dfa6a121abf97ec48cd
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
.NET source code contains very large array initializations
Hides threads from debuggers
Installs new ROOT certificates
Machine Learning detection for sample
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops certificate files (DER)
Enables debug privileges
Enables security privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • CswRsjV3kH.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\CswRsjV3kH.exe" MD5: 3E6CD9723E292652064FC1A06D75CBE4)
    • conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1680722858.00000000030C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000000.00000002.1685662213.00000000055F0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.1685108688.00000000043B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000003.1639408489.000000000555F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.CswRsjV3kH.exe.43b6458.5.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.3.CswRsjV3kH.exe.555ff08.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  0.2.CswRsjV3kH.exe.55f0000.7.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      Click to see the 10 entries

                      Sigma Signatures

                      No Sigma rule has matched

                      Snort Signatures

                      No Snort rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: CswRsjV3kH.exeReversingLabs: Detection: 50%
                      Source: CswRsjV3kH.exeVirustotal: Detection: 36%Perma Link
                      Machine Learning detection for sample
                      Source: CswRsjV3kH.exeJoe Sandbox ML: detected
                      Source: CswRsjV3kH.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: Binary string: _.pdb source: CswRsjV3kH.exe, 00000000.00000002.1685662213.000000000565E000.00000004.08000000.00040000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000002.1680722858.0000000003137000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1639408489.00000000055CD000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmp
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_05698254
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_05699ED9
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $tq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\tq equals www.youtube.com (Youtube)
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $tq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@|- equals www.youtube.com (Youtube)
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\tq equals www.youtube.com (Youtube)
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,tq equals www.youtube.com (Youtube)
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: `,tq#www.youtube.com_0.indexeddb.le equals www.youtube.com (Youtube)
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: CswRsjV3kH.exe, 00000000.00000003.1664654420.0000000006225000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664764436.0000000006225000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664462458.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664434642.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
                      Source: CswRsjV3kH.exe, 00000000.00000003.1654236666.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654472364.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657195062.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658370268.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658538269.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654699594.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658182658.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657286178.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657632244.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654011505.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657918553.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1653941163.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654388886.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654625721.0000000006202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.com
                      Source: CswRsjV3kH.exe, 00000000.00000003.1654159342.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654236666.0000000006202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comTC
                      Source: CswRsjV3kH.exe, 00000000.00000003.1653867572.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1653674845.0000000006201000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comfac
                      Source: CswRsjV3kH.exe, 00000000.00000003.1653867572.0000000006202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comint
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: CswRsjV3kH.exe, 00000000.00000003.1654998784.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654832344.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654472364.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654699594.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654309116.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654388886.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654625721.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655063802.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654550278.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654944132.0000000006202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comn-u
                      Source: CswRsjV3kH.exe, 00000000.00000003.1653867572.0000000006202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comncy
                      Source: CswRsjV3kH.exe, 00000000.00000003.1654998784.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654832344.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655063802.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654944132.0000000006202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comoldbsKCt
                      Source: CswRsjV3kH.exe, 00000000.00000003.1654998784.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654832344.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654699594.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654625721.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655063802.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654550278.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654944132.0000000006202000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.comubh
                      Source: CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmp, CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000066C000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/
                      Source: CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
                      Source: CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664081319.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: CswRsjV3kH.exe, 00000000.00000003.1659428876.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: CswRsjV3kH.exe, 00000000.00000003.1659325114.0000000006227000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
                      Source: CswRsjV3kH.exe, 00000000.00000003.1659356967.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659428876.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/.
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: CswRsjV3kH.exe, 00000000.00000003.1663935993.0000000006225000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html.
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers0
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: CswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/jp/
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/jp/ExKC
                      Source: CswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657452652.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657195062.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657286178.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657632244.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657543806.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/oy
                      Source: CswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com0X
                      Source: CswRsjV3kH.exe, 00000000.00000003.1659428876.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comF5y
                      Source: CswRsjV3kH.exe, 00000000.00000003.1659356967.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comaExKC
                      Source: CswRsjV3kH.exe, 00000000.00000003.1659356967.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comalic
                      Source: CswRsjV3kH.exe, 00000000.00000003.1660548876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660233223.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659750310.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660459235.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660372621.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comas
                      Source: CswRsjV3kH.exe, 00000000.00000003.1660645580.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660548876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660233223.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659575709.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659750310.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660459235.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659499318.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660372621.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659642404.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comgritoty
                      Source: CswRsjV3kH.exe, 00000000.00000003.1660645580.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660548876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660233223.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659750310.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660459235.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660372621.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comivta
                      Source: CswRsjV3kH.exe, 00000000.00000003.1664306645.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1663965051.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664081319.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comoldooy
                      Source: CswRsjV3kH.exe, 00000000.00000003.1664306645.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1663965051.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664434642.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664081319.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.comu
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/oy
                      Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/qmwB-
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm)u
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657918553.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658010386.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657543806.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: CswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//rdNxPCa
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/1
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/5y
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ExKC
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Kurs
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657918553.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658010386.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657543806.00000000061FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/ExKC
                      Source: CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/oy
                      Source: CswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oy
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1653760373.0000000006208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: CswRsjV3kH.exe, 00000000.00000003.1653507227.0000000006208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cnS
                      Source: CswRsjV3kH.exe, 00000000.00000003.1653507227.0000000006208000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cns
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.s
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.000000000341C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000033B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000035E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_dc51b542-f
                      Source: Yara matchFile source: Process Memory Space: CswRsjV3kH.exe PID: 7536, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeFile created: C:\Users\user\AppData\Local\Temp\TmpDBE7.tmpJump to dropped file
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeFile created: C:\Users\user\AppData\Local\Temp\TmpDBC7.tmpJump to dropped file

                      System Summary

                      barindex
                      .NET source code contains very large array initializations
                      Source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                      Source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                      Source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                      Source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                      Source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                      Source: 0.3.CswRsjV3kH.exe.555ff08.0.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                      PE file has nameless sections
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0320B0400_2_0320B040
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_056970A80_2_056970A8
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_056970980_2_05697098
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0569509C0_2_0569509C
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_072EA29C0_2_072EA29C
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_072E80280_2_072E8028
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_072E3AFC0_2_072E3AFC
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_072E44B90_2_072E44B9
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_093481980_2_09348198
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_093489B80_2_093489B8
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess token adjusted: SecurityJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: String function: 0050F264 appears 47 times
                      Source: CswRsjV3kH.exe, 00000000.00000002.1685894112.0000000005E0D000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000003.1673844031.0000000004783000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000003.1673844031.0000000004551000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000003.1638897189.0000000000B78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1685662213.000000000565E000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1685662213.000000000565E000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1680722858.0000000003137000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1680722858.0000000003137000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000003.1639408489.00000000055CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000003.1639408489.00000000055CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1685108688.00000000044AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000000.1634992563.00000000004EF000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename_.dll4 vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1678970760.00000000004EF000.00000080.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exeBinary or memory string: OriginalFilenameStrobiloid.exe" vs CswRsjV3kH.exe
                      Source: CswRsjV3kH.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      Source: CswRsjV3kH.exeStatic PE information: Section: ZLIB complexity 0.9938467920353983
                      Source: CswRsjV3kH.exeStatic PE information: Section: ZLIB complexity 0.9993669519472361
                      Source: CswRsjV3kH.exeStatic PE information: Section: .data ZLIB complexity 0.9971359185710352
                      Source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.3.CswRsjV3kH.exe.555ff08.0.raw.unpack, PBE.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, Strings.csBase64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
                      Source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, Strings.csBase64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
                      Source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, Strings.csBase64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
                      Source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, Strings.csBase64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
                      Source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, Strings.csBase64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
                      Source: 0.3.CswRsjV3kH.exe.555ff08.0.raw.unpack, Strings.csBase64 encoded string: 'JjgkEDEHHhMUBAJXMC4rVyBfOFYoWyA1Gl8jUgcxIC0XXRoQNFkWFgwrAisxWRYiEF44DytbDVUhFV5a'
                      Source: classification engineClassification label: mal88.troj.evad.winEXE@2/5@0/0
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06Jump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeFile created: C:\Users\user\AppData\Local\Temp\TmpDBC7.tmpJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: CswRsjV3kH.exeReversingLabs: Detection: 50%
                      Source: CswRsjV3kH.exeVirustotal: Detection: 36%
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeFile read: C:\Users\user\Desktop\CswRsjV3kH.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\CswRsjV3kH.exe "C:\Users\user\Desktop\CswRsjV3kH.exe"
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: shfolder.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: esdsip.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: sxs.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: mpr.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: scrrun.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeSection loaded: linkinfo.dllJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Google Chrome.lnk.0.drLNK file: ..\..\..\Program Files\Google\Chrome\Application\chrome.exe
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: CswRsjV3kH.exeStatic file information: File size 1762816 > 1048576
                      Source: Binary string: _.pdb source: CswRsjV3kH.exe, 00000000.00000002.1685662213.000000000565E000.00000004.08000000.00040000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000002.1680722858.0000000003137000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1639408489.00000000055CD000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Detected unpacking (changes PE section rights)
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeUnpacked PE file: 0.2.CswRsjV3kH.exe.400000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;.rsrc:EW;Unknown_Section5:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;.rsrc:EW;Unknown_Section5:EW;.data:EW;
                      Source: CswRsjV3kH.exeStatic PE information: real checksum: 0x23bfb should be: 0x1b5ee8
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: CswRsjV3kH.exeStatic PE information: section name:
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_005133EA push 00513418h; ret 0_2_00513410
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_005243A0 push 00524400h; ret 0_2_005243F8
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00524456 push 005245A4h; ret 0_2_0052459C
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00525454 push 005254A1h; ret 0_2_00525499
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0051345C push 00513488h; ret 0_2_00513480
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00513424 push 00513450h; ret 0_2_00513448
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_005134F8 push 0051352Ch; ret 0_2_00513524
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00513494 push 005134C0h; ret 0_2_005134B8
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00523536 push 005235B5h; ret 0_2_005235AD
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_005115F0 push 00511641h; ret 0_2_00511639
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0052262C push 005226A2h; ret 0_2_0052269A
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0051B6DA push 0051B74Bh; ret 0_2_0051B743
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00524684 push ecx; mov dword ptr [esp], ecx0_2_00524687
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_005226A4 push 0052274Ch; ret 0_2_00522744
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0052274E push 0052279Ch; ret 0_2_00522794
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0051B85E push 0051B88Ch; ret 0_2_0051B884
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00523804 push 00523830h; ret 0_2_00523828
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_005248F4 push ecx; mov dword ptr [esp], ecx0_2_005248F6
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_005118AA push 005118D8h; ret 0_2_005118D0
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00511968 push 00511994h; ret 0_2_0051198C
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00512A48 push ecx; mov dword ptr [esp], eax0_2_00512A49
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00512CF2 push 00512D20h; ret 0_2_00512D18
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0051AD60 push ecx; mov dword ptr [esp], edx0_2_0051AD65
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_00512D2C push 00512D58h; ret 0_2_00512D50
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0050DF90 push eax; ret 0_2_0050DFCC
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_05698F21 push 0C418B05h; ret 0_2_05698F33
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_05698E81 push 1C418B05h; ret 0_2_05698E93
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_0934550F push dword ptr [esp+ecx*2-75h]; ret 0_2_09345513
                      Source: CswRsjV3kH.exeStatic PE information: section name: entropy: 7.990134528702455
                      Source: CswRsjV3kH.exeStatic PE information: section name: entropy: 7.94187495363733
                      Source: CswRsjV3kH.exeStatic PE information: section name: entropy: 7.276454522865523
                      Source: CswRsjV3kH.exeStatic PE information: section name: entropy: 7.9988804946234415
                      Source: CswRsjV3kH.exeStatic PE information: section name: .data entropy: 7.982788491977175

                      Persistence and Installation Behavior

                      barindex
                      Installs new ROOT certificates
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 BlobJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE`,TQ
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@\TQ
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000033B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE@|-
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeMemory allocated: 31C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeMemory allocated: 33B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeMemory allocated: 53B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exe TID: 7600Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@\tq
                      Source: CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VBoxService.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe`,tq
                      Source: CswRsjV3kH.exe, 00000000.00000002.1686161317.0000000005F71000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\M
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                      Source: CswRsjV3kH.exe, CswRsjV3kH.exe, 00000000.00000002.1679039317.0000000000651000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ~VirtualMachineTypes
                      Source: CswRsjV3kH.exe, CswRsjV3kH.exe, 00000000.00000002.1679039317.0000000000651000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                      Source: CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: VMWare
                      Source: CswRsjV3kH.exe, 00000000.00000003.1677397008.0000000005F70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                      Source: CswRsjV3kH.exe, 00000000.00000002.1679039317.0000000000651000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                      Source: CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: &VBoxService.exe
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000033B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe@|-

                      Anti Debugging

                      barindex
                      Hides threads from debuggers
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeThread information set: HideFromDebuggerJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_02774448 mov eax, dword ptr fs:[00000030h]0_2_02774448
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeCode function: 0_2_02774448 mov eax, dword ptr fs:[00000030h]0_2_02774448
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000035E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetProgmanWindow
                      Source: CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000035E3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SetProgmanWindow
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\CswRsjV3kH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.CswRsjV3kH.exe.555ff08.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.30c9f16.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.5da0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.CswRsjV3kH.exe.555ff08.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.43b6458.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.55f0ee8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.55f0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.443f790.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1680722858.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1685662213.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1685108688.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1639408489.000000000555F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1685894112.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                      Remote Access Functionality

                      barindex
                      Yara detected RedLine Stealer
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.43b6458.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.CswRsjV3kH.exe.555ff08.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.55f0ee8.8.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.55f0000.7.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.30c9f16.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.443f790.6.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.5da0000.9.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.30c9f16.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.5da0000.9.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.CswRsjV3kH.exe.555ff08.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.43b6458.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.55f0ee8.8.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.55f0000.7.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.443f790.6.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.CswRsjV3kH.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1680722858.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1685662213.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1685108688.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1639408489.000000000555F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1685894112.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                      DLL Side-Loading                      		2
                      Process Injection                      		1
                      Masquerading                      		11
                      Input Capture                      		21
                      Security Software Discovery                      		Remote Services11
                      Input Capture                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		1
                      Disable or Modify Tools                      		LSASS Memory1
                      Process Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)131
                      Virtualization/Sandbox Evasion                      		Security Account Manager131
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                      Process Injection                      		NTDS1
                      File and Directory Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      Deobfuscate/Decode Files or Information                      		LSA Secrets12
                      System Information Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts41
                      Obfuscated Files or Information                      		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Install Root Certificate                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                      Software Packing                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      DLL Side-Loading                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      CswRsjV3kH.exe50%ReversingLabsWin32.Trojan.RedLine
                      CswRsjV3kH.exe37%VirustotalBrowse
                      CswRsjV3kH.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.tiro.com0%URL Reputationsafe
                      http://www.goodfont.co.kr0%URL Reputationsafe
                      http://www.sajatypeworks.com0%URL Reputationsafe
                      http://www.typography.netD0%URL Reputationsafe
                      http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                      http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                      http://www.ascendercorp.com/typedesigners.html0%URL Reputationsafe
                      http://www.sandoll.co.kr0%URL Reputationsafe
                      http://www.urwpp.deDPlease0%URL Reputationsafe
                      http://www.sakkal.com0%URL Reputationsafe
                      https://api.ip.sb/ip0%URL Reputationsafe
                      http://www.carterandcone.coml0%URL Reputationsafe
                      http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                      http://www.founder.com.cn/cn/bThe0%VirustotalBrowse
                      http://www.enigmaprotector.com/openU1%VirustotalBrowse
                      http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                      http://www.jiyu-kobo.co.jp/jp/oy0%VirustotalBrowse
                      http://www.carterandcone.com0%VirustotalBrowse
                      http://www.jiyu-kobo.co.jp/oy0%VirustotalBrowse
                      https://discord.com/api/v9/users/0%VirustotalBrowse
                      http://www.jiyu-kobo.co.jp/10%VirustotalBrowse
                      http://www.jiyu-kobo.co.jp/Kurs0%VirustotalBrowse
                      http://www.zhongyicts.com.cn1%VirustotalBrowse
                      http://www.galapagosdesign.com/0%VirustotalBrowse
                      http://www.galapagosdesign.com/oy0%VirustotalBrowse
                      http://www.jiyu-kobo.co.jp/jp/0%VirustotalBrowse
                      http://www.founder.com.cn/cn0%VirustotalBrowse
                      http://www.jiyu-kobo.co.jp/5y0%VirustotalBrowse
                      http://www.galapagosdesign.com/staff/dennis.htm)u0%VirustotalBrowse
                      http://www.enigmaprotector.com/0%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.fontbureau.com/designersGCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/oyCswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657452652.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657195062.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657286178.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657632244.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657543806.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.galapagosdesign.com/qmwB-CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.carterandcone.comn-uCswRsjV3kH.exe, 00000000.00000003.1654998784.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654832344.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654472364.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654699594.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654309116.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654388886.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654625721.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655063802.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654550278.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654944132.0000000006202000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.fontbureau.com/designers/?CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/bTheCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                http://www.fontbureau.com/designers?CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/frere-user.html.CswRsjV3kH.exe, 00000000.00000003.1663935993.0000000006225000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.enigmaprotector.com/openUCswRsjV3kH.exe, 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmpfalseunknown
                                    http://www.tiro.comCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://api.ip.sCswRsjV3kH.exe, 00000000.00000002.1681073229.000000000341C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://www.fontbureau.com/designersCswRsjV3kH.exe, 00000000.00000003.1659428876.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.fontbureau.comgritotyCswRsjV3kH.exe, 00000000.00000003.1660645580.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660548876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660233223.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659575709.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659750310.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660459235.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659499318.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660372621.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659642404.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.goodfont.co.krCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comCswRsjV3kH.exe, 00000000.00000003.1654236666.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654472364.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657195062.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658370268.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658538269.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654699594.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658182658.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657286178.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657632244.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654011505.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657918553.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1653941163.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654388886.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654625721.0000000006202000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                          http://www.fontbureau.comivtaCswRsjV3kH.exe, 00000000.00000003.1660645580.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660548876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660233223.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659750310.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660459235.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660372621.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            http://www.sajatypeworks.comCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.typography.netDCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.comasCswRsjV3kH.exe, 00000000.00000003.1660548876.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660233223.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659750310.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660459235.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1660372621.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://www.founder.com.cn/cn/cTheCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                              http://www.galapagosdesign.com/staff/dennis.htmCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.jiyu-kobo.co.jp/jp/oyCswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                              http://www.jiyu-kobo.co.jp/KursCswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                              http://www.jiyu-kobo.co.jp/oyCswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                              http://www.jiyu-kobo.co.jp/1CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                              https://discord.com/api/v9/users/CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000034AE000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000002.1681073229.00000000033B1000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                              http://www.galapagosdesign.com/DPleaseCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.ascendercorp.com/typedesigners.htmlCswRsjV3kH.exe, 00000000.00000003.1664654420.0000000006225000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664764436.0000000006225000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664462458.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664434642.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fonts.comCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sandoll.co.krCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/.CswRsjV3kH.exe, 00000000.00000003.1659356967.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1659428876.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.urwpp.deDPleaseCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1653760373.0000000006208000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                  http://www.jiyu-kobo.co.jp/ExKCCswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655527565.00000000061F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://www.sakkal.comCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com0XCswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://www.fontbureau.comaExKCCswRsjV3kH.exe, 00000000.00000003.1659356967.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://www.apache.org/licenses/LICENSE-2.0CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.comCswRsjV3kH.exe, 00000000.00000003.1659824764.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664081319.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.galapagosdesign.com/CswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                            http://www.galapagosdesign.com/oyCswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                            https://api.ip.sb/ipCswRsjV3kH.exe, 00000000.00000002.1681073229.000000000341C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.carterandcone.comTCCswRsjV3kH.exe, 00000000.00000003.1654159342.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654236666.0000000006202000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://www.carterandcone.comfacCswRsjV3kH.exe, 00000000.00000003.1653867572.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1653674845.0000000006201000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://www.zhongyicts.com.cnsCswRsjV3kH.exe, 00000000.00000003.1653507227.0000000006208000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/jp/CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657918553.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658010386.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657543806.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                  http://www.jiyu-kobo.co.jp/5yCswRsjV3kH.exe, 00000000.00000003.1656151119.00000000061F3000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655846532.00000000061F5000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                  http://www.carterandcone.comlCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.carterandcone.comubhCswRsjV3kH.exe, 00000000.00000003.1654998784.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654832344.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654699594.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654625721.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655063802.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654550278.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654944132.0000000006202000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/cabarga.htmlNCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.carterandcone.comintCswRsjV3kH.exe, 00000000.00000003.1653867572.0000000006202000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        http://www.founder.com.cn/cnCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                                        http://www.fontbureau.com/designers/frere-user.htmlCswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.comoldooyCswRsjV3kH.exe, 00000000.00000003.1664306645.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1663965051.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664081319.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://www.fontbureau.com/designers/cabarga.htmlCswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.galapagosdesign.com/staff/dennis.htm)uCswRsjV3kH.exe, 00000000.00000003.1664791143.00000000061F5000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                                                                              http://www.carterandcone.comoldbsKCtCswRsjV3kH.exe, 00000000.00000003.1654998784.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654832344.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654764234.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654887659.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1655063802.0000000006202000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1654944132.0000000006202000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://www.jiyu-kobo.co.jp/CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657918553.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657376337.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1658010386.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1657543806.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                http://www.fontbureau.com/designers8CswRsjV3kH.exe, 00000000.00000002.1686585727.0000000007362000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.fontbureau.comF5yCswRsjV3kH.exe, 00000000.00000003.1659428876.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://www.jiyu-kobo.co.jp/jp/ExKCCswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://www.fontbureau.com/jp/ExKCCswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://www.fontbureau.comalicCswRsjV3kH.exe, 00000000.00000003.1659356967.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://www.fontbureau.comuCswRsjV3kH.exe, 00000000.00000003.1664306645.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1663965051.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664434642.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1664081319.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://www.carterandcone.comncyCswRsjV3kH.exe, 00000000.00000003.1653867572.0000000006202000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://www.fontbureau.com/jp/CswRsjV3kH.exe, 00000000.00000003.1657068872.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656492734.00000000061FC000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmp, CswRsjV3kH.exe, 00000000.00000003.1656940174.00000000061FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.zhongyicts.com.cnSCswRsjV3kH.exe, 00000000.00000003.1653507227.0000000006208000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://www.enigmaprotector.com/CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmp, CswRsjV3kH.exe, 00000000.00000002.1679039317.000000000066C000.00000040.00000001.01000000.00000003.sdmpfalseunknown
                                                                                                  http://www.fontbureau.com/designers0CswRsjV3kH.exe, 00000000.00000003.1656362898.00000000061FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.fontbureau.com/designers/CswRsjV3kH.exe, 00000000.00000003.1659325114.0000000006227000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high

                                                                                                      World Map of Contacted IPs

                                                                                                      No contacted IP infos

                                                                                                      General Information

                                                                                                      Joe Sandbox version:40.0.0 Tourmaline
                                                                                                      Analysis ID:1429015
                                                                                                      Start date and time:2024-04-20 02:26:06 +02:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 7m 34s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:8
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:CswRsjV3kH.exe
                                                                                                      renamed because original name is a hash value
                                                                                                      Original Sample Name:3E6CD9723E292652064FC1A06D75CBE4.exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal88.troj.evad.winEXE@2/5@0/0
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:
                                                                                                      • Successful, ratio: 76%
                                                                                                      • Number of executed functions: 72
                                                                                                      • Number of non-executed functions: 7
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      No simulations

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      No context

                                                                                                      Domains

                                                                                                      No context

                                                                                                      ASNs

                                                                                                      No context

                                                                                                      JA3 Fingerprints

                                                                                                      No context

                                                                                                      Dropped Files

                                                                                                      No context

                                                                                                      Created / dropped Files

                                                                                                      C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\CswRsjV3kH.exe
                                                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:30 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2106
                                                                                                      Entropy (8bit):3.4534941717524874
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:8SadATkoGRYrnvPdAKRkdAs6IdAKRFdAKR/U:8SBt
                                                                                                      MD5:9875E104CB324E01FAFCC8FFE1FE03B2
                                                                                                      SHA1:5C33977193136157B9380CEC5B6C2AD95898EEC1
                                                                                                      SHA-256:A9D4490252C80800C3E2643047905F5E47331BA0C00BB738A6B28C5611330A51
                                                                                                      SHA-512:A06C04C9B2E034AC2AAF345306ED428080C81A29117FD0C7DB19652B044016D1A3E5F96DBAB41CA6F103FB004C63100A33E86EA538E76F5F58D820843FEB2A74
                                                                                                      Malicious:false
                                                                                                      Reputation:low
                                                                                                      Preview:L..................F.@.. ......,......d........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWP`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWP`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWP`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.".-.-.p.r.o.x.y.-.s.e.r.v.e.r

                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CswRsjV3kH.exe.log

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\CswRsjV3kH.exe
                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):1299
                                                                                                      Entropy (8bit):5.342376182732888
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0H6
                                                                                                      MD5:D62639C5676A8FA1A0C2215824B6553A
                                                                                                      SHA1:544B2C6E7A43CE06B68DF441CC237AB7A742B5CD
                                                                                                      SHA-256:761379FF547D28D053F7683499D25F7F1B5523CC7262A2DA64AF26448F7E2D76
                                                                                                      SHA-512:5B46D1BDB899D8FA5C7431CA7061CDD1F00BE14CD53B630FAB52E52DA20F4B2BED405F932D7C0E9D74D84129D5BB5DE9B32CC709DA3D6995423E2ED91E92ACD3
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                      C:\Users\user\AppData\Local\Temp\TmpDBC7.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\CswRsjV3kH.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2662
                                                                                                      Entropy (8bit):7.8230547059446645
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                      MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                      SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                      SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                      SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                      C:\Users\user\AppData\Local\Temp\TmpDBE7.tmp

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\CswRsjV3kH.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2662
                                                                                                      Entropy (8bit):7.8230547059446645
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
                                                                                                      MD5:1420D30F964EAC2C85B2CCFE968EEBCE
                                                                                                      SHA1:BDF9A6876578A3E38079C4F8CF5D6C79687AD750
                                                                                                      SHA-256:F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
                                                                                                      SHA-512:6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:0..b...0.."..*.H..............0...0.....*.H..............0...0.....*.H............0...0...*.H.......0...p.,|.(.............mW.....$|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%..*.X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...|B.d..kr.=G.g.v..f.d.C.?..*.0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

                                                                                                      C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

                                                                                                      Download File
                                                                                                      Process:C:\Users\user\Desktop\CswRsjV3kH.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2251
                                                                                                      Entropy (8bit):0.0
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3::
                                                                                                      MD5:0158FE9CEAD91D1B027B795984737614
                                                                                                      SHA1:B41A11F909A7BDF1115088790A5680AC4E23031B
                                                                                                      SHA-256:513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
                                                                                                      SHA-512:C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                      Static File Info

                                                                                                      General

                                                                                                      File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                      Entropy (8bit):7.515757857185975
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                      File name:CswRsjV3kH.exe
                                                                                                      File size:1'762'816 bytes
                                                                                                      MD5:3e6cd9723e292652064fc1a06d75cbe4
                                                                                                      SHA1:f1f8ab71fa3dd76b0491c4b5133fdeb2f9fae162
                                                                                                      SHA256:9172b16ccd9506d70f0ef99e07853e683f700a0b79f83dfa6a121abf97ec48cd
                                                                                                      SHA512:ebbac6b06912168ac1b3c43d2f550b195c4cd4049b89d21d5cc35500426dd8abf9438aa38ec6ae03d7af0f758276cc274bf3cda7fe216b68e1a5ec6ddf3d464e
                                                                                                      SSDEEP:49152:ZBaDiV56zgxirjfacAwpccp9Fq/uNhgr+fjS:ZL6Exnxxcp9IbyO
                                                                                                      TLSH:5A85129FB1180E5BC82F7872248A87761E359EAD4DCE0662E3E3FF3B76763500A55106
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~.................u......PE..L...t..P..........#........

                                                                                                      File Icon

                                                                                                      Icon Hash:074d0d1d181b482b

                                                                                                      Static PE Info

                                                                                                      General

                                                                                                      Entrypoint:0x40112c
                                                                                                      Entrypoint Section:
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows cui
                                                                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x5000A574 [Fri Jul 13 22:47:16 2012 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:5
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:5
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:5
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:9dc580b98fdc55e0bc3b6c6f01e8c0c2

                                                                                                      Entrypoint Preview

                                                                                                      Instruction
                                                                                                      push ebp
                                                                                                      mov ebp, esp
                                                                                                      add esp, FFFFFFF0h
                                                                                                      mov eax, 00401000h
                                                                                                      call 00007FB170F3E716h
                                                                                                      call far 5DE5h : 8B10C483h
                                                                                                      jmp 00007FB1713A9099h
                                                                                                      mov bl, C2h

                                                                                                      Rich Headers

                                                                                                      Programming Language:
                                                                                                      • [ASM] VS2008 build 21022
                                                                                                      • [IMP] VS2005 build 50727
                                                                                                      • [C++] VS2008 build 21022
                                                                                                      • [ C ] VS2008 build 21022
                                                                                                      • [LNK] VS2008 build 21022

                                                                                                      Data Directories

                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x38a0000x210.data
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xaf0000x5b700.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                      Sections

                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      0x10000x1a0000xe2002c03bffb494624a78d4220728e7d938cFalse0.9938467920353983DOS executable (COM, 0x8C-variant)7.990134528702455IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      0x1b0000x70000x3a005c9968f95ae221e2dd26049db7df0654False0.9791217672413793data7.94187495363733IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      0x220000x40000x80053e381e4c9002e0f1309f61d47f6712eFalse0.87646484375data7.276454522865523IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      0x260000x890000x31c00d7901c256cd56bd67a7b57386378e383False0.9993669519472361data7.9988804946234415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .rsrc0xaf0000x5c0000x5b80032cda2f85a9cfb79cfacfe0b93421938False0.23622673326502733data4.07890570382605IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      0x10b0000x27f0000x2ba00e06f66a95f64988599cb748281f683f0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                      .data0x38a0000xe30000xe3000d0beac6c43077501afb25d778f17b321False0.9971359185710352data7.982788491977175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                      Resources

                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_ICON0xaf2d40x42028Device independent bitmap graphic, 256 x 512 x 32, image size 2703360.18654392401692457
                                                                                                      RT_ICON0xf12fc0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.3163965456051106
                                                                                                      RT_ICON0x101b240x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.4146197449220595
                                                                                                      RT_ICON0x105d4c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.47883817427385894
                                                                                                      RT_ICON0x1082f40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.5189962476547842
                                                                                                      RT_ICON0x10939c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5881147540983607
                                                                                                      RT_ICON0x109d240x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.6152482269503546
                                                                                                      RT_RCDATA0x8118c0x2d063empty0
                                                                                                      RT_RCDATA0xae1f00x20empty0
                                                                                                      RT_GROUP_ICON0x10a18c0x68data0.7403846153846154
                                                                                                      RT_VERSION0x10a1f40x31edata0.449874686716792
                                                                                                      RT_MANIFEST0x10a5140x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                      Imports

                                                                                                      DLLImport
                                                                                                      kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                                                                                      user32.dllMessageBoxA
                                                                                                      advapi32.dllRegCloseKey
                                                                                                      oleaut32.dllSysFreeString
                                                                                                      gdi32.dllCreateFontA
                                                                                                      shell32.dllShellExecuteA
                                                                                                      version.dllGetFileVersionInfoA
                                                                                                      ole32.dllOleInitialize

                                                                                                      Network Behavior

                                                                                                      No network behavior found

                                                                                                      Statistics

                                                                                                      CPU Usage

                                                                                                      Click to jump to process

                                                                                                      Memory Usage

                                                                                                      Click to jump to process

                                                                                                      High Level Behavior Distribution

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Behavior

                                                                                                      Click to jump to process

                                                                                                      System Behavior

                                                                                                      General

                                                                                                      Target ID:0
                                                                                                      Start time:02:26:54
                                                                                                      Start date:20/04/2024
                                                                                                      Path:C:\Users\user\Desktop\CswRsjV3kH.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\CswRsjV3kH.exe"
                                                                                                      Imagebase:0x400000
                                                                                                      File size:1'762'816 bytes
                                                                                                      MD5 hash:3E6CD9723E292652064FC1A06D75CBE4
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:Borland Delphi
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1680722858.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1685662213.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1685108688.00000000043B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000003.1639408489.000000000555F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1685108688.0000000004423000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1685894112.0000000005DA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      General

                                                                                                      Target ID:1
                                                                                                      Start time:02:26:54
                                                                                                      Start date:20/04/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff7699e0000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Disassembly

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:13.9%
                                                                                                        Dynamic/Decrypted Code Coverage:99.3%
                                                                                                        Signature Coverage:0.5%
                                                                                                        Total number of Nodes:582
                                                                                                        Total number of Limit Nodes:46
                                                                                                        execution_graph 67252 5fd2338 67256 5fd2350 67252->67256 67260 5fd2360 67252->67260 67253 5fd234c 67257 5fd2360 67256->67257 67263 5fd2438 67257->67263 67262 5fd2438 5 API calls 67260->67262 67261 5fd239e 67261->67253 67262->67261 67264 5fd2464 67263->67264 67268 5fd14f8 67264->67268 67272 5fd14e9 67264->67272 67265 5fd239e 67265->67253 67270 569dccc 5 API calls 67268->67270 67280 569e401 67268->67280 67269 5fd150f 67269->67265 67270->67269 67273 5fd150d 67272->67273 67274 5fd1505 67272->67274 67275 5fd150f 67273->67275 67276 569dccc 5 API calls 67273->67276 67277 569e401 5 API calls 67273->67277 67278 569dccc 5 API calls 67274->67278 67279 569e401 5 API calls 67274->67279 67275->67265 67276->67275 67277->67275 67278->67273 67279->67273 67281 569e429 67280->67281 67282 569e4b0 67281->67282 67284 569e4d0 5 API calls 67281->67284 67285 569e4c2 5 API calls 67281->67285 67286 5fd2890 5 API calls 67281->67286 67287 5fd2880 5 API calls 67281->67287 67282->67269 67283 569e47a 67283->67269 67284->67283 67285->67283 67286->67283 67287->67283 66788 72e7528 66789 72e754f 66788->66789 66790 72e75b0 66789->66790 66793 5696949 66789->66793 66797 5694324 66789->66797 66794 5696958 66793->66794 66801 5695170 66794->66801 66796 569697f 66796->66790 66798 569432f 66797->66798 66799 5695170 5 API calls 66798->66799 66800 569697f 66799->66800 66800->66790 66803 569517b 66801->66803 66802 5696b28 66802->66796 66803->66802 66806 5696a52 66803->66806 66812 5696b38 66803->66812 66817 5696b50 66803->66817 66804 5696af1 66822 72e79f0 66804->66822 66828 72e7998 66804->66828 66833 72e7988 66804->66833 66805 5695170 5 API calls 66805->66806 66806->66804 66806->66805 66814 5696c8e 66812->66814 66816 5696b81 66812->66816 66813 5696b8d 66813->66806 66814->66806 66816->66813 66838 56951a0 SendMessageW CreateFileA CreateFileA ReadFile ReadFile 66816->66838 66818 5696b81 66817->66818 66820 5696c8e 66817->66820 66819 5696b8d 66818->66819 66839 56951a0 SendMessageW CreateFileA CreateFileA ReadFile ReadFile 66818->66839 66819->66806 66820->66806 66823 72e79de 66822->66823 66824 72e79fa 66822->66824 66840 72e7b91 66823->66840 66845 72e7ba0 66823->66845 66824->66802 66825 72e79e7 66825->66802 66829 72e79aa 66828->66829 66830 72e79e7 66829->66830 66831 72e7ba0 4 API calls 66829->66831 66832 72e7b91 4 API calls 66829->66832 66830->66802 66831->66830 66832->66830 66835 72e79aa 66833->66835 66834 72e79e7 66834->66802 66835->66834 66836 72e7ba0 4 API calls 66835->66836 66837 72e7b91 4 API calls 66835->66837 66836->66834 66837->66834 66838->66814 66839->66820 66841 72e7ba0 66840->66841 66842 72e7cf8 66841->66842 66850 72e7f20 66841->66850 66854 72e7f30 66841->66854 66842->66825 66846 72e7bc3 66845->66846 66847 72e7cf8 66846->66847 66848 72e7f20 4 API calls 66846->66848 66849 72e7f30 4 API calls 66846->66849 66847->66825 66848->66847 66849->66847 66851 72e7f30 66850->66851 66858 72e8028 66851->66858 66852 72e7f60 66852->66842 66855 72e7f4d 66854->66855 66857 72e8028 4 API calls 66855->66857 66856 72e7f60 66856->66842 66857->66856 66859 72e8052 66858->66859 66863 72e83c0 66859->66863 66867 72e83d0 66859->66867 66860 72e80bc 66860->66852 66865 72e83ec 66863->66865 66871 72e89a3 66865->66871 66869 72e83ec 66867->66869 66868 72e8416 66868->66860 66870 72e89a3 4 API calls 66869->66870 66870->66868 66872 72e89dc 66871->66872 66876 72e8a58 66872->66876 66882 72e8a68 66872->66882 66873 72e8416 66873->66860 66877 72e8a68 66876->66877 66879 72e8b71 66877->66879 66888 72e8c47 66877->66888 66879->66873 66883 72e8a8f 66882->66883 66885 72e8b71 66883->66885 66887 72e8c47 2 API calls 66883->66887 66884 72e8b13 66886 72e98e0 2 API calls 66884->66886 66885->66873 66886->66885 66887->66884 66889 72e8c6d 66888->66889 66891 72e8da0 CreateFileA CreateFileA 66889->66891 66892 72e8d90 CreateFileA CreateFileA 66889->66892 66890 72e8b13 66893 72e98e0 66890->66893 66891->66890 66892->66890 66894 72e9910 66893->66894 66896 72e9988 ReadFile ReadFile 66894->66896 66897 72e9977 ReadFile ReadFile 66894->66897 66895 72e9945 66895->66879 66896->66895 66897->66895 66898 569dde0 66899 569de04 66898->66899 66905 569da5c 66899->66905 66901 569de7b 66909 5fd38d0 66901->66909 66923 5fd3920 66901->66923 66902 569dfb6 66906 569da67 66905->66906 66937 569dccc 66906->66937 66908 569e3f6 66908->66901 66911 5fd3920 66909->66911 66910 5fd39bb 66921 5fd3920 2 API calls 66910->66921 66922 5fd38d0 2 API calls 66910->66922 66911->66910 66913 5fd39f0 66911->66913 66912 5fd39c5 66912->66902 66914 5fd3af4 66913->66914 66918 5fd3b22 66913->66918 67028 5fd0f2c 66913->67028 66914->66902 66917 5fd0f2c GetCurrentThreadId 66917->66918 66919 5fd3e3f GetCurrentThreadId 66918->66919 66920 5fd3b4e 66918->66920 66919->66920 66920->66902 66921->66912 66922->66912 66925 5fd3935 66923->66925 66924 5fd39bb 66935 5fd3920 2 API calls 66924->66935 66936 5fd38d0 2 API calls 66924->66936 66925->66924 66927 5fd39f0 66925->66927 66926 5fd39c5 66926->66902 66928 5fd3af4 66927->66928 66929 5fd0f2c GetCurrentThreadId 66927->66929 66933 5fd3b22 66927->66933 66928->66902 66930 5fd3b18 66929->66930 66931 5fd0f2c GetCurrentThreadId 66930->66931 66931->66933 66932 5fd3b4e 66932->66902 66933->66932 66934 5fd3e3f GetCurrentThreadId 66933->66934 66934->66932 66935->66926 66936->66926 66938 569dcd7 66937->66938 66939 569e4b0 66938->66939 66945 5fd2880 66938->66945 66951 569e4c2 66938->66951 66955 5fd2890 66938->66955 66961 569e4d0 66938->66961 66939->66908 66940 569e47a 66940->66908 66946 5fd28b7 66945->66946 66948 5fd2ad5 66946->66948 66949 569e4d0 5 API calls 66946->66949 66950 569e4c2 5 API calls 66946->66950 66947 5fd2b09 66947->66940 66948->66940 66949->66947 66950->66947 66952 569e4ff 66951->66952 66954 569e586 66952->66954 66965 569b9f0 66952->66965 66956 5fd28b7 66955->66956 66958 5fd2ad5 66956->66958 66959 569e4d0 5 API calls 66956->66959 66960 569e4c2 5 API calls 66956->66960 66957 5fd2b09 66957->66940 66958->66940 66959->66957 66960->66957 66962 569e4ff 66961->66962 66963 569b9f0 5 API calls 66962->66963 66964 569e586 66962->66964 66963->66964 66966 569ba00 66965->66966 66967 569ba3d 66966->66967 66970 72e1058 66966->66970 66982 72e1068 66966->66982 66967->66954 66971 72e105d 66970->66971 66972 72e113f 66971->66972 66980 5696b38 5 API calls 66971->66980 66981 5696b50 5 API calls 66971->66981 66994 72e0380 66972->66994 66974 72e12c7 66975 72e1328 66974->66975 67006 569507c 66974->67006 67010 5696400 66974->67010 66975->66975 66976 72e11b5 66976->66974 67015 72e0410 66976->67015 66980->66972 66981->66972 66983 72e10a1 66982->66983 66985 72e113f 66983->66985 66992 5696b38 5 API calls 66983->66992 66993 5696b50 5 API calls 66983->66993 66984 72e0380 SendMessageW 66988 72e11b5 66984->66988 66985->66984 66986 72e12c7 66987 72e1328 66986->66987 66990 569507c 5 API calls 66986->66990 66991 5696400 5 API calls 66986->66991 66987->66987 66988->66986 66989 72e0410 SendMessageW 66988->66989 66989->66986 66990->66987 66991->66987 66992->66985 66993->66985 66997 72e038b 66994->66997 66995 72e420c 66995->66976 66996 72e41b9 66998 72e41f2 66996->66998 66999 72e0410 SendMessageW 66996->66999 66997->66995 66997->66996 67024 72e383c SendMessageW 66997->67024 67000 72e0410 SendMessageW 66998->67000 67001 72e41e4 66999->67001 67002 72e41fe 67000->67002 67020 72e3acc 67001->67020 67004 72e3acc SendMessageW 67002->67004 67004->66995 67007 5695087 67006->67007 67008 5694324 5 API calls 67007->67008 67009 56964a5 67007->67009 67008->67009 67009->66975 67011 569639c 67010->67011 67012 569640a 67010->67012 67011->66975 67013 5694324 5 API calls 67012->67013 67014 56964a5 67012->67014 67013->67014 67014->66975 67017 72e041b 67015->67017 67016 72e529e 67016->66974 67017->67016 67018 72e3b98 SendMessageW 67017->67018 67019 72e5309 67018->67019 67019->66974 67021 72e3ad7 67020->67021 67025 72e3b98 67021->67025 67024->66996 67026 72e5320 SendMessageW 67025->67026 67027 72e5309 67026->67027 67027->66998 67029 5fd0f37 67028->67029 67030 5fd3e3f GetCurrentThreadId 67029->67030 67031 5fd3b18 67029->67031 67030->67031 67031->66917 67288 5694720 DuplicateHandle 67289 56947fd 67288->67289 67032 72e69a0 67033 72e69f9 GetClassInfoW 67032->67033 67035 72e6a8a 67033->67035 67385 3204bd0 67386 3204bec 67385->67386 67394 3204c58 67386->67394 67387 3204bf9 67399 320bc19 67387->67399 67388 3204c21 67404 569fde0 67388->67404 67409 569fdcf 67388->67409 67395 3204c84 67394->67395 67414 320b8d1 67395->67414 67418 320b8d8 67395->67418 67396 3204cd8 67396->67387 67400 320bc3d 67399->67400 67422 320bd28 67400->67422 67426 320bd17 67400->67426 67401 320bc47 67401->67388 67405 569fdf2 67404->67405 67434 569fed8 67405->67434 67439 569fee8 67405->67439 67410 569fdf2 67409->67410 67412 569fee8 7 API calls 67410->67412 67413 569fed8 7 API calls 67410->67413 67411 3204c49 67412->67411 67413->67411 67415 320b8d8 GetConsoleWindow 67414->67415 67417 320b95a 67415->67417 67417->67396 67419 320b919 GetConsoleWindow 67418->67419 67421 320b95a 67419->67421 67421->67396 67424 320bd4f 67422->67424 67423 320be2c 67423->67423 67424->67423 67430 320ae48 67424->67430 67428 320bd4f 67426->67428 67427 320be2c 67427->67427 67428->67427 67429 320ae48 CreateActCtxA 67428->67429 67429->67427 67431 320cde0 CreateActCtxA 67430->67431 67433 320cee6 67431->67433 67435 569ff10 67434->67435 67444 72e0438 67435->67444 67450 72e0448 67435->67450 67436 569ff24 67440 569ff10 67439->67440 67442 72e0438 7 API calls 67440->67442 67443 72e0448 7 API calls 67440->67443 67441 569ff24 67442->67441 67443->67441 67446 72e046d 67444->67446 67445 72e0516 67447 72e024c 7 API calls 67445->67447 67449 72e0671 67445->67449 67446->67445 67446->67449 67456 72e024c 67446->67456 67447->67449 67449->67436 67451 72e046d 67450->67451 67453 72e0516 67451->67453 67454 72e024c 7 API calls 67451->67454 67455 72e0671 67451->67455 67452 72e024c 7 API calls 67452->67455 67453->67452 67453->67455 67454->67453 67455->67436 67457 72e0257 67456->67457 67461 72e08af 67457->67461 67472 72e08c0 67457->67472 67458 72e08ac 67458->67445 67464 72e08e6 67461->67464 67462 72e08fa 67462->67458 67463 72e09d7 67470 5695278 6 API calls 67463->67470 67471 569547c 5 API calls 67463->67471 67464->67462 67464->67463 67468 72e0a3a 67464->67468 67465 72e09e5 67467 72e0a35 67465->67467 67483 72e0364 67465->67483 67467->67458 67468->67467 67469 72e0380 SendMessageW 67468->67469 67469->67467 67470->67465 67471->67465 67475 72e08e6 67472->67475 67473 72e08fa 67473->67458 67474 72e09d7 67481 5695278 6 API calls 67474->67481 67482 569547c 5 API calls 67474->67482 67475->67473 67475->67474 67479 72e0a3a 67475->67479 67476 72e09e5 67477 72e0364 PostMessageW 67476->67477 67478 72e0a35 67476->67478 67477->67478 67478->67458 67479->67478 67480 72e0380 SendMessageW 67479->67480 67480->67478 67481->67476 67482->67476 67484 72e7858 PostMessageW 67483->67484 67485 72e7905 67484->67485 67485->67467 67036 569b878 67037 569b888 67036->67037 67042 72e2608 67037->67042 67046 72e25fa 67037->67046 67050 569d1ac 67037->67050 67038 569b8b1 67043 72e263d 67042->67043 67045 569d1ac 5 API calls 67043->67045 67044 72e2692 67044->67038 67045->67044 67047 72e263d 67046->67047 67049 569d1ac 5 API calls 67047->67049 67048 72e2692 67048->67038 67049->67048 67051 569d1b5 67050->67051 67053 569d1d3 67050->67053 67052 569b9f0 5 API calls 67051->67052 67051->67053 67052->67053 67054 569b9f0 5 API calls 67053->67054 67055 569d30c 67053->67055 67054->67055 67055->67038 67062 56944d8 67064 569451e GetCurrentThread 67062->67064 67065 56945a6 67064->67065 67066 569460b GetCurrentThreadId 67065->67066 67067 569463c 67066->67067 67290 5694d38 67291 5694d60 67290->67291 67293 5694d88 67291->67293 67294 5694304 67291->67294 67293->67293 67295 569430f 67294->67295 67306 569547c 67295->67306 67311 5695278 67295->67311 67296 5694e06 67297 5694314 SendMessageW CreateFileA CreateFileA ReadFile ReadFile 67296->67297 67298 5694e20 67297->67298 67299 5694324 SendMessageW CreateFileA CreateFileA ReadFile ReadFile 67298->67299 67300 5694e27 67299->67300 67302 5696b38 SendMessageW CreateFileA CreateFileA ReadFile ReadFile 67300->67302 67303 5696b50 SendMessageW CreateFileA CreateFileA ReadFile ReadFile 67300->67303 67301 5694e31 67301->67293 67302->67301 67303->67301 67307 5695499 67306->67307 67308 5695582 67307->67308 67322 72e65a0 67307->67322 67327 72e6590 67307->67327 67308->67308 67312 56952a6 67311->67312 67313 5695377 67312->67313 67317 5695582 67312->67317 67318 56953e3 67312->67318 67319 569b9f0 5 API calls 67312->67319 67314 5694324 5 API calls 67313->67314 67313->67318 67314->67318 67315 569531e 67316 5695372 KiUserCallbackDispatcher 67315->67316 67316->67313 67318->67317 67320 72e65a0 5 API calls 67318->67320 67321 72e6590 5 API calls 67318->67321 67319->67315 67320->67317 67321->67317 67323 72e65ca 67322->67323 67332 72e6888 67323->67332 67337 72e6862 67323->67337 67324 72e65ed 67324->67308 67328 72e65ca 67327->67328 67330 72e6888 5 API calls 67328->67330 67331 72e6862 5 API calls 67328->67331 67329 72e65ed 67329->67308 67330->67329 67331->67329 67334 72e68ac 67332->67334 67333 72e68dc 67333->67324 67343 5695f08 67334->67343 67350 5695f02 67334->67350 67338 72e686e 67337->67338 67339 72e6890 67337->67339 67338->67324 67341 5695f08 5 API calls 67339->67341 67342 5695f02 5 API calls 67339->67342 67340 72e68dc 67340->67324 67341->67340 67342->67340 67344 5695f25 67343->67344 67345 5694324 5 API calls 67344->67345 67347 5695f69 67344->67347 67345->67347 67346 569604a 67346->67333 67347->67346 67357 72e6920 67347->67357 67362 72e6910 67347->67362 67351 5695f08 67350->67351 67352 5694324 5 API calls 67351->67352 67354 5695f69 67351->67354 67352->67354 67353 569604a 67353->67333 67354->67353 67355 72e6920 5 API calls 67354->67355 67356 72e6910 5 API calls 67354->67356 67355->67354 67356->67354 67358 72e692c 67357->67358 67359 72e6934 67357->67359 67367 5fda7a6 67358->67367 67371 5fda7a8 67358->67371 67359->67347 67363 72e692c 67362->67363 67364 72e6934 67362->67364 67365 5fda7a8 5 API calls 67363->67365 67366 5fda7a6 5 API calls 67363->67366 67364->67347 67365->67364 67366->67364 67368 5fda7b5 67367->67368 67369 5695f08 5 API calls 67367->67369 67370 5695f02 5 API calls 67367->67370 67368->67359 67369->67368 67370->67368 67373 5695f08 5 API calls 67371->67373 67374 5695f02 5 API calls 67371->67374 67372 5fda7b5 67372->67359 67373->67372 67374->67372 67486 5698f98 67487 5699030 CreateWindowExW 67486->67487 67489 569916e 67487->67489 67490 5696b1d 67491 5696b28 67490->67491 67492 72e7988 4 API calls 67490->67492 67493 72e7998 4 API calls 67490->67493 67494 72e79f0 4 API calls 67490->67494 67492->67491 67493->67491 67494->67491 67056 72e26b8 67057 72e271d SetWindowTextW 67056->67057 67058 72e270b 67056->67058 67059 72e2768 67057->67059 67058->67057 67375 72e2af8 67377 72e2b12 67375->67377 67376 72e2b9c 67378 72e19d0 2 API calls 67377->67378 67379 72e19c1 2 API calls 67377->67379 67378->67376 67379->67376 67060 2773de0 Module32FirstW 67061 2773e55 67060->67061 67068 2abd01c 67069 2abd034 67068->67069 67070 2abd08e 67069->67070 67075 5699230 67069->67075 67079 569a059 67069->67079 67088 56981e4 67069->67088 67097 5699221 67069->67097 67076 5699256 67075->67076 67077 56981e4 2 API calls 67076->67077 67078 5699277 67077->67078 67078->67070 67080 569a068 67079->67080 67081 569a0c9 67080->67081 67083 569a0b9 67080->67083 67117 569830c 67081->67117 67101 569a2bc 67083->67101 67107 569a1e0 67083->67107 67112 569a1f0 67083->67112 67084 569a0c7 67089 56981ef 67088->67089 67090 569a0c9 67089->67090 67092 569a0b9 67089->67092 67091 569830c 2 API calls 67090->67091 67093 569a0c7 67091->67093 67094 569a2bc 2 API calls 67092->67094 67095 569a1e0 2 API calls 67092->67095 67096 569a1f0 2 API calls 67092->67096 67094->67093 67095->67093 67096->67093 67098 5699256 67097->67098 67099 56981e4 2 API calls 67098->67099 67100 5699277 67099->67100 67100->67070 67102 569a27a 67101->67102 67103 569a2ca 67101->67103 67124 569a2a8 67102->67124 67131 569a298 67102->67131 67104 569a290 67104->67084 67109 569a204 67107->67109 67108 569a290 67108->67084 67110 569a2a8 2 API calls 67109->67110 67111 569a298 2 API calls 67109->67111 67110->67108 67111->67108 67113 569a204 67112->67113 67115 569a2a8 2 API calls 67113->67115 67116 569a298 2 API calls 67113->67116 67114 569a290 67114->67084 67115->67114 67116->67114 67118 5698317 67117->67118 67119 569b7fc 67118->67119 67120 569b752 67118->67120 67122 56981e4 CallWindowProcW 67119->67122 67121 569b7aa CallWindowProcW 67120->67121 67123 569b759 67120->67123 67121->67123 67122->67123 67123->67084 67125 569a2b9 67124->67125 67138 569b6ea 67124->67138 67141 72e1360 67124->67141 67160 72e6ada 67124->67160 67165 72e6ae8 67124->67165 67170 72e134f 67124->67170 67125->67104 67132 72e134f 2 API calls 67131->67132 67133 569a2b9 67131->67133 67134 569b6ea 2 API calls 67131->67134 67135 72e6ada 2 API calls 67131->67135 67136 72e6ae8 2 API calls 67131->67136 67137 72e1360 2 API calls 67131->67137 67132->67133 67133->67104 67134->67133 67135->67133 67136->67133 67137->67133 67139 569830c 2 API calls 67138->67139 67140 569b6fa 67139->67140 67140->67125 67142 72e1379 67141->67142 67150 72e1395 67141->67150 67143 72e137e 67142->67143 67144 72e13c0 67142->67144 67145 72e139a 67143->67145 67146 72e1383 67143->67146 67147 72e164c 67144->67147 67144->67150 67145->67150 67154 72e1614 67145->67154 67157 72e14c6 67145->67157 67148 72e138c 67146->67148 67149 72e15aa 67146->67149 67197 72e0de8 67147->67197 67148->67150 67153 72e1622 67148->67153 67189 72e0d38 67149->67189 67150->67157 67201 72e1930 67150->67201 67206 72e1920 67150->67206 67211 72e0db8 CallWindowProcW CallWindowProcW 67153->67211 67193 72e0da8 67154->67193 67157->67125 67161 72e6af6 67160->67161 67162 72e6b28 67160->67162 67163 72e6afd 67161->67163 67245 72e6b42 67161->67245 67162->67125 67163->67125 67166 72e6af6 67165->67166 67167 72e6b28 67165->67167 67168 72e6afd 67166->67168 67169 72e6b42 2 API calls 67166->67169 67167->67125 67168->67125 67169->67168 67171 72e1379 67170->67171 67179 72e1395 67170->67179 67172 72e137e 67171->67172 67173 72e13c0 67171->67173 67174 72e139a 67172->67174 67175 72e1383 67172->67175 67176 72e164c 67173->67176 67173->67179 67174->67179 67183 72e1614 67174->67183 67186 72e14c6 67174->67186 67177 72e138c 67175->67177 67178 72e15aa 67175->67178 67181 72e0de8 2 API calls 67176->67181 67177->67179 67182 72e1622 67177->67182 67180 72e0d38 2 API calls 67178->67180 67179->67186 67187 72e1920 2 API calls 67179->67187 67188 72e1930 2 API calls 67179->67188 67180->67186 67181->67186 67251 72e0db8 CallWindowProcW CallWindowProcW 67182->67251 67185 72e0da8 2 API calls 67183->67185 67185->67186 67186->67125 67187->67186 67188->67186 67190 72e0d43 67189->67190 67191 72e1930 2 API calls 67190->67191 67192 72e1b46 67191->67192 67192->67157 67194 72e0db3 67193->67194 67195 72e1930 2 API calls 67194->67195 67196 72e7984 67195->67196 67196->67157 67198 72e0df3 67197->67198 67199 72e1930 2 API calls 67198->67199 67200 72e2bd1 67199->67200 67200->67157 67202 72e1942 67201->67202 67203 72e193b 67201->67203 67212 72e1951 67202->67212 67203->67157 67204 72e1948 67204->67157 67207 72e193b 67206->67207 67208 72e1942 67206->67208 67207->67157 67210 72e1951 2 API calls 67208->67210 67209 72e1948 67209->67157 67210->67209 67211->67157 67213 72e196e 67212->67213 67215 72e1990 67212->67215 67214 72e197c 67213->67214 67218 569aad8 67213->67218 67223 569aac8 67213->67223 67214->67204 67215->67204 67220 569ab24 67218->67220 67219 569ab75 67219->67214 67220->67219 67228 72e19d0 67220->67228 67233 72e19c1 67220->67233 67225 569aad8 67223->67225 67224 569ab75 67224->67214 67224->67224 67225->67224 67226 72e19d0 2 API calls 67225->67226 67227 72e19c1 2 API calls 67225->67227 67226->67224 67227->67224 67229 72e1a16 67228->67229 67230 72e1a39 67229->67230 67231 569830c 2 API calls 67229->67231 67238 569b700 67229->67238 67230->67219 67231->67230 67234 72e1a16 67233->67234 67235 72e1a39 67234->67235 67236 569830c 2 API calls 67234->67236 67237 569b700 2 API calls 67234->67237 67235->67219 67236->67235 67237->67235 67239 569b710 67238->67239 67240 569b7fc 67239->67240 67241 569b752 67239->67241 67243 56981e4 CallWindowProcW 67240->67243 67242 569b7aa CallWindowProcW 67241->67242 67244 569b759 67241->67244 67242->67244 67243->67244 67244->67230 67246 72e6bab 67245->67246 67249 72e6b76 67245->67249 67247 569aac8 2 API calls 67246->67247 67248 569aad8 2 API calls 67246->67248 67246->67249 67250 569b6ea 2 API calls 67246->67250 67247->67249 67248->67249 67249->67163 67250->67249 67251->67186 67495 678598 67496 6785a5 VirtualAlloc 67495->67496

                                                                                                        Executed Functions

                                                                                                        Function 09348198 Relevance: 7.9, Strings: 6, Instructions: 424COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1146 9348198-93481b0 1148 93481b2-93481bb 1146->1148 1149 93481ea-9348209 1146->1149 1150 934820c-9348218 1148->1150 1151 93481bd-93481cd 1148->1151 1158 934824a-934828d 1150->1158 1159 934821a-9348247 1150->1159 1153 93481d5-93481d7 1151->1153 1155 93481e1-93481e7 1153->1155 1156 93481d9-93481de 1153->1156 1155->1149 1162 93484a0-93484c4 1158->1162 1163 9348293-934829f 1158->1163 1159->1158 1170 93485f1-93485f5 1162->1170 1171 93484ca-93484ce 1162->1171 1164 93482a5-93482bc call 9340be0 1163->1164 1165 934862f-9348645 1163->1165 1164->1162 1174 93482c2-9348306 1164->1174 1175 9348677-9348683 1165->1175 1176 9348647-934866a 1165->1176 1172 93485f7-93485fb 1170->1172 1173 9348623-934862c 1170->1173 1177 93484d4-93484da 1171->1177 1178 934858c-9348592 1171->1178 1172->1173 1181 93485fd-934861e 1172->1181 1202 9348316 1174->1202 1203 9348308-9348314 call 9345648 1174->1203 1191 9348684-934869f 1176->1191 1192 934866c-9348675 1176->1192 1179 93484f3-934857c 1177->1179 1180 93484dc-93484e0 1177->1180 1182 9348594-93485da 1178->1182 1183 93485e5-93485ee 1178->1183 1179->1183 1225 934857e-934858a 1179->1225 1180->1178 1184 93484e6-93484ed 1180->1184 1181->1173 1193 9348620 1181->1193 1182->1183 1184->1178 1184->1179 1192->1175 1193->1173 1207 9348318-9348328 1202->1207 1203->1207 1211 9348367-93483ab 1207->1211 1212 934832a-9348331 1207->1212 1229 93483ad-93483b9 call 9345648 1211->1229 1230 93483bb 1211->1230 1214 9348333-9348349 1212->1214 1215 934834b-9348352 1212->1215 1218 9348355-9348357 1214->1218 1215->1218 1218->1211 1220 9348359-934835d 1218->1220 1220->1211 1223 934835f-9348362 1220->1223 1224 9348496-934849a 1223->1224 1224->1162 1224->1163 1225->1183 1232 93483bd-93483cd 1229->1232 1230->1232 1235 93483d3-93483d9 1232->1235 1236 93483cf-93483d1 1232->1236 1237 93483e1-93483e3 1235->1237 1236->1237 1238 9348493 1237->1238 1239 93483e9-93483ef 1237->1239 1238->1224 1240 93483f5-9348479 1239->1240 1241 9348487-9348490 1239->1241 1240->1241 1250 934847b-934847e 1240->1250 1250->1241
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 2-R$l62$.R$.R$.R$.R
                                                                                                        • API String ID: 0-232466788
                                                                                                        • Opcode ID: a74c90ca946073b4103cc0ac1c42c82f04ea6b2b20df6975d2375b28ba0d2776
                                                                                                        • Instruction ID: ce76b7909df1e588263735ef9b32d6572dc7c702de2554dc147c2ac6be45b616
                                                                                                        • Opcode Fuzzy Hash: a74c90ca946073b4103cc0ac1c42c82f04ea6b2b20df6975d2375b28ba0d2776
                                                                                                        • Instruction Fuzzy Hash: 9BF1AF70A002499FDB15DF69D850BAEBBF6EF88300F1585A9E505EB2A1DB34EC45CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E3AFC Relevance: 6.9, Strings: 5, Instructions: 682COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1251 72e3afc-72e44f0 1254 72e44f6-72e44fb 1251->1254 1255 72e49d3-72e4a3c 1251->1255 1254->1255 1256 72e4501-72e451e 1254->1256 1263 72e4a43-72e4acb 1255->1263 1262 72e4524-72e4528 1256->1262 1256->1263 1264 72e452a-72e4534 call 72e3b0c 1262->1264 1265 72e4537-72e453b 1262->1265 1305 72e4ad6-72e4b56 1263->1305 1264->1265 1267 72e453d-72e4547 call 72e3b0c 1265->1267 1268 72e454a-72e4551 1265->1268 1267->1268 1273 72e466c-72e4671 1268->1273 1274 72e4557-72e4587 1268->1274 1276 72e4679-72e467e 1273->1276 1277 72e4673-72e4677 1273->1277 1285 72e4d56-72e4e01 1274->1285 1287 72e458d-72e4660 call 72e3b18 * 2 1274->1287 1281 72e4690-72e46c0 call 72e3b24 * 3 1276->1281 1277->1276 1280 72e4680-72e4684 1277->1280 1284 72e468a-72e468d 1280->1284 1280->1285 1281->1305 1306 72e46c6-72e46c9 1281->1306 1284->1281 1309 72e4e0a-72e4e44 1285->1309 1310 72e4e03-72e4e09 1285->1310 1287->1273 1319 72e4662 1287->1319 1326 72e4b5d-72e4bdf 1305->1326 1306->1305 1311 72e46cf-72e46d1 1306->1311 1310->1309 1311->1305 1312 72e46d7-72e470c 1311->1312 1312->1326 1327 72e4712-72e471b 1312->1327 1319->1273 1333 72e4be7-72e4c69 1326->1333 1329 72e487e-72e4882 1327->1329 1330 72e4721-72e477b call 72e3b24 * 2 call 72e3b34 * 2 1327->1330 1332 72e4888-72e488c 1329->1332 1329->1333 1372 72e478d 1330->1372 1373 72e477d-72e4786 1330->1373 1336 72e4892-72e4898 1332->1336 1337 72e4c71-72e4c9e 1332->1337 1333->1337 1341 72e489c-72e48d1 1336->1341 1342 72e489a 1336->1342 1350 72e4ca5-72e4d25 1337->1350 1346 72e48d8-72e48de 1341->1346 1342->1346 1349 72e48e4-72e48ec 1346->1349 1346->1350 1354 72e48ee-72e48f2 1349->1354 1355 72e48f3-72e48f5 1349->1355 1405 72e4d2c-72e4d4e 1350->1405 1354->1355 1362 72e4957-72e495d 1355->1362 1363 72e48f7-72e491b 1355->1363 1367 72e495f-72e497a 1362->1367 1368 72e497c-72e49aa 1362->1368 1394 72e491d-72e4922 1363->1394 1395 72e4924-72e4928 1363->1395 1387 72e49b2-72e49be 1367->1387 1368->1387 1379 72e4791-72e4793 1372->1379 1378 72e4788-72e478b 1373->1378 1373->1379 1378->1379 1385 72e479a-72e479e 1379->1385 1386 72e4795 1379->1386 1391 72e47ac-72e47b2 1385->1391 1392 72e47a0-72e47a7 1385->1392 1386->1385 1387->1405 1406 72e49c4-72e49d0 1387->1406 1399 72e47bc-72e47c1 1391->1399 1400 72e47b4-72e47ba 1391->1400 1398 72e4849-72e484d 1392->1398 1402 72e4934-72e4947 call 72e4ec7 1394->1402 1395->1285 1403 72e492e-72e4931 1395->1403 1407 72e484f-72e4869 1398->1407 1408 72e486c-72e4878 1398->1408 1409 72e47c7-72e47cd 1399->1409 1400->1409 1412 72e494d-72e4955 1402->1412 1403->1402 1405->1285 1407->1408 1408->1329 1408->1330 1415 72e47cf-72e47d1 1409->1415 1416 72e47d3-72e47d8 1409->1416 1412->1387 1418 72e47da-72e47ec 1415->1418 1416->1418 1424 72e47ee-72e47f4 1418->1424 1425 72e47f6-72e47fb 1418->1425 1427 72e4801-72e4808 1424->1427 1425->1427 1431 72e480e 1427->1431 1432 72e480a-72e480c 1427->1432 1435 72e4813-72e481e 1431->1435 1432->1435 1436 72e4842 1435->1436 1437 72e4820-72e4823 1435->1437 1436->1398 1437->1398 1439 72e4825-72e482b 1437->1439 1441 72e482d-72e4830 1439->1441 1442 72e4832-72e483b 1439->1442 1441->1436 1441->1442 1442->1398 1443 72e483d-72e4840 1442->1443 1443->1398 1443->1436
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Hxq$Hxq$Hxq$Hxq$Hxq
                                                                                                        • API String ID: 0-615405233
                                                                                                        • Opcode ID: 79971fd3312927b4b973fc60a7457e4fa9ecc08451e5b95ddeec1099439b3801
                                                                                                        • Instruction ID: 5ed79e9dbc0a7d5eeb58b5daaafa0f27630cb9d58b6dc195fc27ba0b8c7adad0
                                                                                                        • Opcode Fuzzy Hash: 79971fd3312927b4b973fc60a7457e4fa9ecc08451e5b95ddeec1099439b3801
                                                                                                        • Instruction Fuzzy Hash: 9C427CB0E102988FDF58EFA9C85079EBBF6BF88300F548169E409AB355DB349945CF91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0320B040 Relevance: 1.7, Strings: 1, Instructions: 495COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680876653.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_3200000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4|yq
                                                                                                        • API String ID: 0-3659113163
                                                                                                        • Opcode ID: d08bfdf1bb6ba4ea3901735008fb93a7a05814093b58e28c198eadae0213ffe6
                                                                                                        • Instruction ID: 2c6f5b891b61876705e718185d93897d9012e01969ba2eb06c3e5cf199ab8dff
                                                                                                        • Opcode Fuzzy Hash: d08bfdf1bb6ba4ea3901735008fb93a7a05814093b58e28c198eadae0213ffe6
                                                                                                        • Instruction Fuzzy Hash: 0722BBB5E002298FDB68DFA9CC90BEDB7B1AF88300F5481A9D909E7355DA745E84CF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072EA29C Relevance: .3, Instructions: 329COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6a78807b44efbb67606beff9d1ae934831f3db46b79bda623462805625e29b68
                                                                                                        • Instruction ID: 700267ef198ea2105867986b44bb7cb09ff0aed55ad21819d4d9126ffea0908c
                                                                                                        • Opcode Fuzzy Hash: 6a78807b44efbb67606beff9d1ae934831f3db46b79bda623462805625e29b68
                                                                                                        • Instruction Fuzzy Hash: 09E1B3B4E10219CFDB64DFA5C980BADBBB6BF89300F10D1AAD409AB255DB705E85CF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E44B9 Relevance: .3, Instructions: 278COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c1678d884c503a9afec1fd162ddf713c2b072be03a7ad51b72c63636e9b290d7
                                                                                                        • Instruction ID: 9357309da558b358327b7db3cca477cdcf9e92036f2e68f26e8b9e6eb65b59ec
                                                                                                        • Opcode Fuzzy Hash: c1678d884c503a9afec1fd162ddf713c2b072be03a7ad51b72c63636e9b290d7
                                                                                                        • Instruction Fuzzy Hash: 70C18AB0E20299DFDF14DFA5C880799BBF6BF89300F54C1AAE449AB255DB309984CF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E8028 Relevance: .2, Instructions: 241COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 57bbd37e3d892c69f0a4e48fcf0fbcc385f1da4145b337cb00ccb21519937a69
                                                                                                        • Instruction ID: 48efda8231c9e457cad9926cf3d69d1e98a51bf8ab94a2fd6e9a40063b62cbdf
                                                                                                        • Opcode Fuzzy Hash: 57bbd37e3d892c69f0a4e48fcf0fbcc385f1da4145b337cb00ccb21519937a69
                                                                                                        • Instruction Fuzzy Hash: A2B111B4D10319CFDB14DFA9C5887ADBBF6BF49300F10A0AAD449AB291DB784A85CF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09341868 Relevance: 213.2, Strings: 168, Instructions: 3210COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 0 9341868-934187b 1 934187e-93418a2 0->1 3 93419e8-9344f0f 1->3 4 93418a8-93418bb 1->4 729 9344f59-9344f60 3->729 5 93419d0-93419da 4->5 6 93418c1-93418c4 4->6 5->1 8 93419e0-93419e7 5->8 7 93418c7-93418e1 6->7 7->5 12 93418e7-93418e9 7->12 13 9341903-9341910 12->13 14 93418eb-9341901 12->14 19 9341913-9341967 call 9340be0 13->19 14->19 31 9341978 19->31 32 9341969-9341976 19->32 34 934197a-9341988 31->34 32->34 38 93419b7 34->38 39 934198a-93419b5 call 9341198 34->39 41 93419ba-93419ca 38->41 39->41 41->5 41->7 730 9344f11-9344f28 729->730 731 9344f62-9344f67 729->731 732 9344f68-9344f9a 730->732 733 9344f2a-9344f56 730->733 733->729
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$ Y2$$#tq$(Ayq$(otq$, tq$,xq$,xq$0"tq$4'tq$4ctq$Hbuq$LRtq$PHtq$Pptq$X#tq$\;tq$\stq$l62$l62$p tq$p<tq$pByq$p`tq$x yq$xxq$|buq$|yq$yq$$tq$;tq$ctq
                                                                                                        • API String ID: 0-2771046172
                                                                                                        • Opcode ID: 1f15ca649106d69e7b12bae107eb43781c57336387247903aa2a68f9eef01275
                                                                                                        • Instruction ID: 6c200289b5dd7768a69f9498fdfae177fdb687a146058b6c4fd93c64b8f79f8c
                                                                                                        • Opcode Fuzzy Hash: 1f15ca649106d69e7b12bae107eb43781c57336387247903aa2a68f9eef01275
                                                                                                        • Instruction Fuzzy Hash: B6633E71A40218AFDB659BA4DC51BEE7BBAFF88340F1040D9E609AB290DF715E80CF55
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 05FD3920 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 379COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 1031 5fd3920-5fd3937 1033 5fd3939-5fd3948 1031->1033 1034 5fd399a-5fd39a8 1031->1034 1033->1034 1037 5fd394a-5fd3956 call 5fd0ee8 1033->1037 1038 5fd39bb-5fd39bd 1034->1038 1039 5fd39aa-5fd39b5 call 5fd0e1c 1034->1039 1045 5fd3958-5fd3964 call 5fd0ef8 1037->1045 1046 5fd396a-5fd3986 1037->1046 1144 5fd39bf call 5fd3920 1038->1144 1145 5fd39bf call 5fd38d0 1038->1145 1039->1038 1047 5fd3a7a-5fd3af2 1039->1047 1044 5fd39c5-5fd39d4 1053 5fd39ec-5fd39ef 1044->1053 1054 5fd39d6-5fd39e7 call 5fd0f08 1044->1054 1045->1046 1055 5fd39f0-5fd3a2e 1045->1055 1059 5fd398c-5fd3990 1046->1059 1060 5fd3a35-5fd3a73 1046->1060 1074 5fd3afb-5fd3b05 1047->1074 1075 5fd3af4-5fd3afa 1047->1075 1054->1053 1055->1060 1059->1034 1060->1047 1079 5fd3b0b-5fd3b24 call 5fd0f2c * 2 1074->1079 1080 5fd3d41-5fd3d6d 1074->1080 1087 5fd3b2a-5fd3b4c 1079->1087 1088 5fd3d74-5fd3e28 1079->1088 1080->1088 1095 5fd3b5d-5fd3b6c 1087->1095 1096 5fd3b4e-5fd3b5c call 5fd0f08 1087->1096 1109 5fd3e3f-5fd3e65 GetCurrentThreadId 1088->1109 1110 5fd3e2a-5fd3e3d 1088->1110 1101 5fd3b6e-5fd3b8b 1095->1101 1102 5fd3b91-5fd3bb2 1095->1102 1101->1102 1112 5fd3bb4-5fd3bc5 1102->1112 1113 5fd3c02-5fd3c2a 1102->1113 1114 5fd3e6e 1109->1114 1115 5fd3e67-5fd3e6d 1109->1115 1116 5fd3e75-5fd3e82 1110->1116 1121 5fd3bf4-5fd3bf8 1112->1121 1122 5fd3bc7-5fd3bdf call 5fd34d4 1112->1122 1142 5fd3c2d call 5fd4001 1113->1142 1143 5fd3c2d call 5fd4010 1113->1143 1114->1116 1115->1114 1121->1113 1130 5fd3be4-5fd3bf2 1122->1130 1131 5fd3be1-5fd3be2 1122->1131 1126 5fd3c30-5fd3c55 1133 5fd3c9b 1126->1133 1134 5fd3c57-5fd3c6c 1126->1134 1130->1121 1130->1122 1131->1130 1133->1080 1134->1133 1137 5fd3c6e-5fd3c91 1134->1137 1137->1133 1141 5fd3c93 1137->1141 1141->1133 1142->1126 1143->1126 1144->1044 1145->1044
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686210627.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5fd0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Hxq$Hxq$Hxq$Hxq$Hxq
                                                                                                        • API String ID: 0-615405233
                                                                                                        • Opcode ID: 8aa6d2163a49d8e487f3c7e7b803298050dd3707754345b8e883d631b19aecff
                                                                                                        • Instruction ID: 4513be2f7a038005f05780b6528d3a5b524143f4cfb0c3d61b9142234c37b7fd
                                                                                                        • Opcode Fuzzy Hash: 8aa6d2163a49d8e487f3c7e7b803298050dd3707754345b8e883d631b19aecff
                                                                                                        • Instruction Fuzzy Hash: EDE15C30B042448FCB19EBB8C5559AEBBF7FF89310B644869D506AB391DF399C42CB61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09340828 Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3504 9340828-9340834 3505 9340836 3504->3505 3506 9340879 3504->3506 3509 9340838-9340839 3505->3509 3507 93408ec 3506->3507 3508 934087b 3506->3508 3512 9340963 3507->3512 3513 93408ed 3507->3513 3510 934087d 3508->3510 3511 934087f-9340881 3508->3511 3514 9340841-934084d 3509->3514 3517 934088b-9340899 3510->3517 3511->3517 3515 9340b85-9340b95 3512->3515 3516 9340969-934096e 3512->3516 3518 93408f1-93408f3 3513->3518 3519 93408ee-93408ef 3513->3519 3520 9340986-93409ca 3516->3520 3521 9340970-9340976 3516->3521 3529 93408c0-93408d7 3517->3529 3530 934089b-93408ab 3517->3530 3522 93408fd-9340908 3518->3522 3519->3522 3554 9340a18-9340a24 3520->3554 3555 93409cc-93409d8 3520->3555 3524 9340978 3521->3524 3525 934097a-9340984 3521->3525 3532 9340920 3522->3532 3533 934090a-9340910 3522->3533 3524->3520 3525->3520 3546 9340925-9340931 3529->3546 3547 93408d9-93408e5 3529->3547 3541 93408ad 3530->3541 3542 93408af-93408b1 3530->3542 3538 9340b7f-9340b84 3532->3538 3536 9340914-9340916 3533->3536 3537 9340912 3533->3537 3536->3532 3537->3532 3545 93408bb 3541->3545 3542->3545 3545->3538 3553 9340937-934094f 3546->3553 3546->3554 3547->3522 3552 93408e7 3547->3552 3552->3507 3553->3554 3564 9340955-934095f 3553->3564 3559 9340b75 3554->3559 3560 9340a2a-9340a3e 3554->3560 3561 93409f0-93409fb 3555->3561 3562 93409da-93409e0 3555->3562 3559->3538 3560->3559 3575 9340a44 3560->3575 3571 9340a13 3561->3571 3572 93409fd-9340a03 3561->3572 3565 93409e4-93409e6 3562->3565 3566 93409e2 3562->3566 3564->3512 3565->3561 3566->3561 3571->3538 3573 9340a05 3572->3573 3574 9340a07-9340a09 3572->3574 3573->3571 3574->3571 3576 9340a97-9340aa3 3575->3576 3577 9340ae3-9340aef 3575->3577 3578 9340b2c-9340b38 3575->3578 3579 9340a4b-9340a57 3575->3579 3590 9340aa5-9340aab 3576->3590 3591 9340abb-9340ac6 3576->3591 3588 9340b07-9340b12 3577->3588 3589 9340af1-9340af7 3577->3589 3586 9340b50-9340b5b 3578->3586 3587 9340b3a-9340b40 3578->3587 3584 9340a6f-9340a7a 3579->3584 3585 9340a59-9340a5f 3579->3585 3610 9340a92 3584->3610 3611 9340a7c-9340a82 3584->3611 3594 9340a61 3585->3594 3595 9340a63-9340a65 3585->3595 3604 9340b73 3586->3604 3605 9340b5d-9340b63 3586->3605 3596 9340b44-9340b46 3587->3596 3597 9340b42 3587->3597 3606 9340b14-9340b1a 3588->3606 3607 9340b2a 3588->3607 3598 9340af9 3589->3598 3599 9340afb-9340afd 3589->3599 3592 9340aad 3590->3592 3593 9340aaf-9340ab1 3590->3593 3608 9340ade 3591->3608 3609 9340ac8-9340ace 3591->3609 3592->3591 3593->3591 3594->3584 3595->3584 3596->3586 3597->3586 3598->3588 3599->3588 3604->3538 3612 9340b65 3605->3612 3613 9340b67-9340b69 3605->3613 3614 9340b1c 3606->3614 3615 9340b1e-9340b20 3606->3615 3607->3538 3608->3538 3616 9340ad0 3609->3616 3617 9340ad2-9340ad4 3609->3617 3610->3538 3618 9340a84 3611->3618 3619 9340a86-9340a88 3611->3619 3612->3604 3613->3604 3614->3607 3615->3607 3616->3608 3617->3608 3618->3610 3619->3610
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ,xq$pD2$(2
                                                                                                        • API String ID: 0-2758534523
                                                                                                        • Opcode ID: 5b5079fd92681ca57c24943a496a2af54e70e1bfa1eb2811efea78044cf1fb3c
                                                                                                        • Instruction ID: 863a1bd94679c5c6edd675f8f9c71a1a9dab1e0992fa06df313560911853b1c4
                                                                                                        • Opcode Fuzzy Hash: 5b5079fd92681ca57c24943a496a2af54e70e1bfa1eb2811efea78044cf1fb3c
                                                                                                        • Instruction Fuzzy Hash: 5081E23070411A8FCF5C9A79845552A76DBAFC5390B2640A9EB0ACF365EE20EC41CF67
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09345877 Relevance: 3.8, Strings: 3, Instructions: 42COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3701 9345877-93458f1 3712 93458f3 call 9345910 3701->3712 3713 93458f3 call 9345901 3701->3713 3711 93458f9-93458fc 3712->3711 3713->3711
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'tq$Dm2$o2
                                                                                                        • API String ID: 0-2122891565
                                                                                                        • Opcode ID: 8c271a6b27c57491643f5b41eeffd8e0cd96ec4194ad6f0d4e14a1096cc68c21
                                                                                                        • Instruction ID: 944d11b77862a7920f03c53b8ab4a88ff4c1e4afe99039e8d1d9769b874cd37b
                                                                                                        • Opcode Fuzzy Hash: 8c271a6b27c57491643f5b41eeffd8e0cd96ec4194ad6f0d4e14a1096cc68c21
                                                                                                        • Instruction Fuzzy Hash: 240186303042015FC61AEB79D85156E7BABEFCA344744499AE1468F352EF30AC468BE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09345888 Relevance: 3.8, Strings: 3, Instructions: 36COMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3714 9345888-93458f1 3725 93458f3 call 9345910 3714->3725 3726 93458f3 call 9345901 3714->3726 3724 93458f9-93458fc 3725->3724 3726->3724
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'tq$Dm2$o2
                                                                                                        • API String ID: 0-2122891565
                                                                                                        • Opcode ID: 68478d7f10248186302e88abdfb45aba4b6068b445197482da786981ba05f330
                                                                                                        • Instruction ID: e613d9d59c9ae742e3c656bdcfe7631bd53b156890c6183b91fe971d1f80b12f
                                                                                                        • Opcode Fuzzy Hash: 68478d7f10248186302e88abdfb45aba4b6068b445197482da786981ba05f330
                                                                                                        • Instruction Fuzzy Hash: 93F090303002059BCA19EB7AE461A6F7BDBEFCD3447104929E14A8B351EF30BC468BE1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E9435 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3727 72e9435-72e94bd 3730 72e94bf-72e94d3 3727->3730 3731 72e9503-72e95bc CreateFileA 3727->3731 3730->3731 3734 72e94d5-72e94da 3730->3734 3743 72e95be-72e95c4 3731->3743 3744 72e95c5-72e9629 3731->3744 3735 72e94dc-72e94e6 3734->3735 3736 72e94fd-72e9500 3734->3736 3738 72e94ea-72e94f9 3735->3738 3739 72e94e8 3735->3739 3736->3731 3738->3738 3740 72e94fb 3738->3740 3739->3738 3740->3736 3743->3744 3749 72e962b-72e962f 3744->3749 3750 72e9639 3744->3750 3749->3750 3751 72e9631 3749->3751 3752 72e963a 3750->3752 3751->3750 3752->3752
                                                                                                        APIs
                                                                                                        • CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 072E95AC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID: 4Ltq
                                                                                                        • API String ID: 823142352-1272723734
                                                                                                        • Opcode ID: 04b684d66f4c6a30d96efb7c4b232bacd17a01423ba3238a459e0eb7f517e445
                                                                                                        • Instruction ID: 0865563331c6ef21371669df5d8204462c14a7915fc232ea9fd0544a9d86207d
                                                                                                        • Opcode Fuzzy Hash: 04b684d66f4c6a30d96efb7c4b232bacd17a01423ba3238a459e0eb7f517e445
                                                                                                        • Instruction Fuzzy Hash: 9551EBB4D10319DFDF14CFA9C881A9EFBF5BB49310F60902AE858AB240DB74A985CF45
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E9440 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 161fileCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3753 72e9440-72e94bd 3755 72e94bf-72e94d3 3753->3755 3756 72e9503-72e95bc CreateFileA 3753->3756 3755->3756 3759 72e94d5-72e94da 3755->3759 3768 72e95be-72e95c4 3756->3768 3769 72e95c5-72e9629 3756->3769 3760 72e94dc-72e94e6 3759->3760 3761 72e94fd-72e9500 3759->3761 3763 72e94ea-72e94f9 3760->3763 3764 72e94e8 3760->3764 3761->3756 3763->3763 3765 72e94fb 3763->3765 3764->3763 3765->3761 3768->3769 3774 72e962b-72e962f 3769->3774 3775 72e9639 3769->3775 3774->3775 3776 72e9631 3774->3776 3777 72e963a 3775->3777 3776->3775 3777->3777
                                                                                                        APIs
                                                                                                        • CreateFileA.KERNELBASE(?,?,?,?,?,?,?), ref: 072E95AC
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateFile
                                                                                                        • String ID: 4Ltq
                                                                                                        • API String ID: 823142352-1272723734
                                                                                                        • Opcode ID: 86f0c5064560d59956d7767ce112fb8e636e2da5bcb9fdcc6ea2291c71af1c3f
                                                                                                        • Instruction ID: ac0c240a63a9c535cc49565882d288078095c959432faad6df9679d363f89ad0
                                                                                                        • Opcode Fuzzy Hash: 86f0c5064560d59956d7767ce112fb8e636e2da5bcb9fdcc6ea2291c71af1c3f
                                                                                                        • Instruction Fuzzy Hash: 1951ECB4D10219DFDF10CFA9C881A9EFBF5BF49310F20902AE858AB240DB74A985CF45
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 056944C8 Relevance: 3.1, APIs: 2, Instructions: 136threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3778 56944c8-56944d1 3779 5694530-5694567 3778->3779 3780 56944d3-569452a 3778->3780 3783 5694569-569456f 3779->3783 3784 5694570-56945a4 GetCurrentThread 3779->3784 3780->3779 3783->3784 3786 56945ad-56945e1 3784->3786 3787 56945a6-56945ac 3784->3787 3792 56945ea-5694605 call 56946aa 3786->3792 3793 56945e3-56945e9 3786->3793 3787->3786 3795 569460b-569463a GetCurrentThreadId 3792->3795 3793->3792 3796 569463c-5694642 3795->3796 3797 5694643-56946a5 3795->3797 3796->3797
                                                                                                        APIs
                                                                                                        • GetCurrentThread.KERNEL32 ref: 05694593
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 05694629
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CurrentThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2882836952-0
                                                                                                        • Opcode ID: 83b0b01eedac7d788cb90d149e19d8efb4637649be8ac3be61d03aa615177521
                                                                                                        • Instruction ID: 1d2406706d5516274c67de6ac8ad1e6f5a5e358b10145fc8090c47a50a9aae9c
                                                                                                        • Opcode Fuzzy Hash: 83b0b01eedac7d788cb90d149e19d8efb4637649be8ac3be61d03aa615177521
                                                                                                        • Instruction Fuzzy Hash: 495184B0910648CFCB18CFAAD548BAEBFF5FF88314F248459E01AA7350DB749985CB65
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 056944D8 Relevance: 3.1, APIs: 2, Instructions: 128threadCOMMON
                                                                                                        Download Yara Rule

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 3804 56944d8-5694567 3809 5694569-569456f 3804->3809 3810 5694570-56945a4 GetCurrentThread 3804->3810 3809->3810 3811 56945ad-56945e1 3810->3811 3812 56945a6-56945ac 3810->3812 3816 56945ea-5694605 call 56946aa 3811->3816 3817 56945e3-56945e9 3811->3817 3812->3811 3819 569460b-569463a GetCurrentThreadId 3816->3819 3817->3816 3820 569463c-5694642 3819->3820 3821 5694643-56946a5 3819->3821 3820->3821
                                                                                                        APIs
                                                                                                        • GetCurrentThread.KERNEL32 ref: 05694593
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 05694629
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CurrentThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2882836952-0
                                                                                                        • Opcode ID: 70963bf63c929c92a77af4bae24263d5716585a70639db9cedadd86c2aed80ce
                                                                                                        • Instruction ID: 410c5733b41f5c097d57c27bca3c21edc6c5b23a5a76e157f4e14160470304a8
                                                                                                        • Opcode Fuzzy Hash: 70963bf63c929c92a77af4bae24263d5716585a70639db9cedadd86c2aed80ce
                                                                                                        • Instruction Fuzzy Hash: A35163B0900649CFCB18CFAAD548BAEBFF5FF88310F208459E01AA7350DB749985CB65
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09345910 Relevance: 2.9, Strings: 2, Instructions: 398COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0r2$$tq
                                                                                                        • API String ID: 0-1554248212
                                                                                                        • Opcode ID: 0d05a1b92d41a22529637a4dc7e36fb4690f6027c7f51ae8321d5da61eb32c71
                                                                                                        • Instruction ID: fda35abeaeae424eba26fa084c031a0d46f0429fedc7bc1f77023b52753b5101
                                                                                                        • Opcode Fuzzy Hash: 0d05a1b92d41a22529637a4dc7e36fb4690f6027c7f51ae8321d5da61eb32c71
                                                                                                        • Instruction Fuzzy Hash: E9E12974F002159FCB14DF69C894AAEBBF6AF88700B158569E906EB365DB30EC41CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09340040 Relevance: 2.8, Strings: 2, Instructions: 253COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ,xq$d?2
                                                                                                        • API String ID: 0-3751924218
                                                                                                        • Opcode ID: 524417383f726d44592973934f4cd22be9c77d226cf187afd45ba09ebc1c1b74
                                                                                                        • Instruction ID: f7b11b39f36b55c9fe114ca96a4a598fb411546d58c51acc1da512173ff506c7
                                                                                                        • Opcode Fuzzy Hash: 524417383f726d44592973934f4cd22be9c77d226cf187afd45ba09ebc1c1b74
                                                                                                        • Instruction Fuzzy Hash: 4F81C9B47041099FDF9D5A7A841563E6ADBBFC5340B1640A5EA0ACF3A5EE30EC41CF62
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09346C6A Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @t2$@t2
                                                                                                        • API String ID: 0-1618186448
                                                                                                        • Opcode ID: dd59c442619ba3e3b474cadc01e74d4c5ea2b7f5d8be6a8515fe58e931d00b92
                                                                                                        • Instruction ID: f3f500637c659264591ceb8a5f1b2593af7e5c5a7ce9b645dbf2ee7220a81404
                                                                                                        • Opcode Fuzzy Hash: dd59c442619ba3e3b474cadc01e74d4c5ea2b7f5d8be6a8515fe58e931d00b92
                                                                                                        • Instruction Fuzzy Hash: B831D47610E3D04FE7078B3598755AA7FF5EF87218B0A00EBD085CF1A3E6259809C765
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 05698F8C Relevance: 1.7, APIs: 1, Instructions: 187COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05699159
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: d2b2c40ae506a6faa75b5a403af9b1ca4f9dc2ada238e55a113615226e0a3b2c
                                                                                                        • Instruction ID: df06db327954cf2b2ee3d8324ec720381c26743c37ac195acef702d8aeb31e1c
                                                                                                        • Opcode Fuzzy Hash: d2b2c40ae506a6faa75b5a403af9b1ca4f9dc2ada238e55a113615226e0a3b2c
                                                                                                        • Instruction Fuzzy Hash: 75719AB4D00258DFDF20CFA9D884ADEBBF5BB09310F1491AAE818A7211D731AA85CF55
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 05698F98 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05699159
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 716092398-0
                                                                                                        • Opcode ID: 8cd96e4640a32c5874a95300a34f2c1f242bd022d3accf2b0ae5a22b81190a4e
                                                                                                        • Instruction ID: c823d0c8f29e325f99fc79b7bb0d4d25ae55b517e03c4ea71148940658ddc652
                                                                                                        • Opcode Fuzzy Hash: 8cd96e4640a32c5874a95300a34f2c1f242bd022d3accf2b0ae5a22b81190a4e
                                                                                                        • Instruction Fuzzy Hash: 0B7199B4D00218DFDF24CFA9C984ADEBBB5BF09300F1491AAE818A7211D731AA85CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0320CDD4 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 0320CED1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680876653.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_3200000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Create
                                                                                                        • String ID:
                                                                                                        • API String ID: 2289755597-0
                                                                                                        • Opcode ID: 7a39fdf1c67ca6609ce2d88e9cdaf46ef876402fd89fc429c80f7c1dd1a28ed2
                                                                                                        • Instruction ID: ab7700af77fbab010b0d421823bf9a88af7b2e91b3b1e6d7fc4c95fa7f736351
                                                                                                        • Opcode Fuzzy Hash: 7a39fdf1c67ca6609ce2d88e9cdaf46ef876402fd89fc429c80f7c1dd1a28ed2
                                                                                                        • Instruction Fuzzy Hash: F351E8B1D00219CFDB24DFA9C880BDEBBF5BF49300F1085AAD508BB251DA756A89CF51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0320AE48 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 0320CED1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680876653.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_3200000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Create
                                                                                                        • String ID:
                                                                                                        • API String ID: 2289755597-0
                                                                                                        • Opcode ID: 70ef1e31e98ebc9613547f8e8c013f96595bfd0a945494df2d9a07ba5e2c3b94
                                                                                                        • Instruction ID: c65668bc575716c6072546b8f3bb494cb2adb2d36ed7745b2f2b23fde7d32dc5
                                                                                                        • Opcode Fuzzy Hash: 70ef1e31e98ebc9613547f8e8c013f96595bfd0a945494df2d9a07ba5e2c3b94
                                                                                                        • Instruction Fuzzy Hash: 8251D9B1D0021DCFDB24DFA9C840B9EBBF5BF49300F1085AAD509BB251DA756A89CF91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E9A34 Relevance: 1.6, APIs: 1, Instructions: 126fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ReadFile.KERNELBASE(?,?,?,?,?), ref: 072E9B2D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 2738559852-0
                                                                                                        • Opcode ID: ea6a523b5c0dc0970a1756e61a1f57ecaf56e95654cba9158b75b30ad8b566ff
                                                                                                        • Instruction ID: 1e39ee70c35e82a9f32b5f771a948c901793685bc9968099b351f39f68488fec
                                                                                                        • Opcode Fuzzy Hash: ea6a523b5c0dc0970a1756e61a1f57ecaf56e95654cba9158b75b30ad8b566ff
                                                                                                        • Instruction Fuzzy Hash: A341DDB0D102199FDB10CFA9C984ADEFBF5BF49300F24902AE858BB250DB74A985CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E9A40 Relevance: 1.6, APIs: 1, Instructions: 122fileCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • ReadFile.KERNELBASE(?,?,?,?,?), ref: 072E9B2D
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FileRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 2738559852-0
                                                                                                        • Opcode ID: 0cc8e0dc673af706458ac2d4461ad74cf9a864d433de68cf154512dd59c397be
                                                                                                        • Instruction ID: 8d28e0a2e28f93c87775d10b021a49f0555ceba84d6fce1c39d8a66fbb4ec879
                                                                                                        • Opcode Fuzzy Hash: 0cc8e0dc673af706458ac2d4461ad74cf9a864d433de68cf154512dd59c397be
                                                                                                        • Instruction Fuzzy Hash: 0841CBB0D102189FDB10CFAAC984ADEFBF5BF49300F64902AE458BB250DB74A985CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 05694718 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 056947EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 3062679e31adeda18151fd5dacd91516a1f4e854282ddca50e800056850f031b
                                                                                                        • Instruction ID: cf0086d4c19c2941caeb7ce1335c8502aa790f35e7f84978132407f380e20f80
                                                                                                        • Opcode Fuzzy Hash: 3062679e31adeda18151fd5dacd91516a1f4e854282ddca50e800056850f031b
                                                                                                        • Instruction Fuzzy Hash: DC4157B9D002589FCF10CFA9D984ADEBBF5FB09310F14902AE918AB310D735A945CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 05694720 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 056947EB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 7ffea38e290d48e6b372034956b63b7c337fb14960db6c12ecb67693b093819a
                                                                                                        • Instruction ID: f5f0177aaba79285a3f91876836cf44094f8239d01f88109203b329cc2734528
                                                                                                        • Opcode Fuzzy Hash: 7ffea38e290d48e6b372034956b63b7c337fb14960db6c12ecb67693b093819a
                                                                                                        • Instruction Fuzzy Hash: 3E4156B9D002989FCF10CFA9D984ADEBBF5BB09320F14906AE918BB310D735A945CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E6998 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetClassInfoW.USER32(?,?,?), ref: 072E6A78
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClassInfo
                                                                                                        • String ID:
                                                                                                        • API String ID: 3534257612-0
                                                                                                        • Opcode ID: 83ba6628ab1c679511735fa3d0afd7042b18dcbb0e4662124cf7fd0a402fc41f
                                                                                                        • Instruction ID: 4ecce065959b7e0841934f38f29327aeec25578d8741767764b3fdba1012234d
                                                                                                        • Opcode Fuzzy Hash: 83ba6628ab1c679511735fa3d0afd7042b18dcbb0e4662124cf7fd0a402fc41f
                                                                                                        • Instruction Fuzzy Hash: C74177B4D10259DFCB10CFA9D984ADEFBF5BB59314F24806AE818AB310D374AA85CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E69A0 Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetClassInfoW.USER32(?,?,?), ref: 072E6A78
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ClassInfo
                                                                                                        • String ID:
                                                                                                        • API String ID: 3534257612-0
                                                                                                        • Opcode ID: cfd796e9b2232cbe735d6b1fdda8103f5a0be75eb4c1fe6f13a11cea6471a22c
                                                                                                        • Instruction ID: 99fb0c0f9a5025cdfaff36a611bec4373b4a01551b8eb8b46d48ddf3503c7c6d
                                                                                                        • Opcode Fuzzy Hash: cfd796e9b2232cbe735d6b1fdda8103f5a0be75eb4c1fe6f13a11cea6471a22c
                                                                                                        • Instruction Fuzzy Hash: 484165B4D10259DFCB10CFA9D984ADEFBF5BB59314F24802AE818AB310D374AA85CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E7808 Relevance: 1.6, APIs: 1, Instructions: 100windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostMessageW.USER32(?,?,00000000,?), ref: 072E78F3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost
                                                                                                        • String ID:
                                                                                                        • API String ID: 410705778-0
                                                                                                        • Opcode ID: d586932da68a25f907d59f16b644cd589925f4c8055784e6a3e2c61667e11daa
                                                                                                        • Instruction ID: b9ab6f42a807c86320ad7f1002b6c4a92806801b2e368b0b4bdad9c85ce5ca90
                                                                                                        • Opcode Fuzzy Hash: d586932da68a25f907d59f16b644cd589925f4c8055784e6a3e2c61667e11daa
                                                                                                        • Instruction Fuzzy Hash: 4A31BCB9E00208DFCB04DFA9D480ADEFBF5EF59310F24906AE859AB310D735A945CB65
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0569830C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0569B7D1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CallProcWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2714655100-0
                                                                                                        • Opcode ID: 798a692afa759874a8b8c10bb25fbd294d939519d271dbc1db91795ecb0d0e6d
                                                                                                        • Instruction ID: 6a35e5b2a42774fd947401d698add1b182770eb1dc484f02ec29effbb3b28e5a
                                                                                                        • Opcode Fuzzy Hash: 798a692afa759874a8b8c10bb25fbd294d939519d271dbc1db91795ecb0d0e6d
                                                                                                        • Instruction Fuzzy Hash: 994138B8904349CFCB14CF99C488AAABBF9FF88314F24C559D519AB321D775A941CBA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E5318 Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,?,?,?), ref: 072E53BB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3850602802-0
                                                                                                        • Opcode ID: 0b2a712fc6ed5a44384db628d61596e5bf8858d1b8d8ec0d8c862fde54b320bd
                                                                                                        • Instruction ID: f9522e7ec8e47baf7affdcfcd0ba870d47efb0abf3098a818e9793707173034f
                                                                                                        • Opcode Fuzzy Hash: 0b2a712fc6ed5a44384db628d61596e5bf8858d1b8d8ec0d8c862fde54b320bd
                                                                                                        • Instruction Fuzzy Hash: E6319BB4D152589FCB10CFA9D980ADEFBF4EB49310F14901AE814BB310D375A945CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E0364 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostMessageW.USER32(?,?,00000000,?), ref: 072E78F3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost
                                                                                                        • String ID:
                                                                                                        • API String ID: 410705778-0
                                                                                                        • Opcode ID: 672ede00b6415166dd600d233b16074682dc067b1c32de7be6577c8596cec494
                                                                                                        • Instruction ID: cfaa22438ccd7eee5166a5b2f8a1b435903887558f18a518846fc5de18176a99
                                                                                                        • Opcode Fuzzy Hash: 672ede00b6415166dd600d233b16074682dc067b1c32de7be6577c8596cec494
                                                                                                        • Instruction Fuzzy Hash: 4B3188B8D10258EFCB10CFA9E584A9EFBF4EB19310F14902AE818B7310D375A945CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E3B98 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SendMessageW.USER32(?,?,?,?), ref: 072E53BB
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessageSend
                                                                                                        • String ID:
                                                                                                        • API String ID: 3850602802-0
                                                                                                        • Opcode ID: 5d1b523afc562bf36a22c0ad6ca7906efb0ca422c340b3fb373521755aef85b3
                                                                                                        • Instruction ID: 3c7918c2084ed3ab70cb50a7e6d74831600d7c08946408169f5cc4bfba438038
                                                                                                        • Opcode Fuzzy Hash: 5d1b523afc562bf36a22c0ad6ca7906efb0ca422c340b3fb373521755aef85b3
                                                                                                        • Instruction Fuzzy Hash: D23199B8D102589FCB10CF99D880A9EFBF4EB09310F14902AE818B7310D375A9448F54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E7850 Relevance: 1.6, APIs: 1, Instructions: 86windowCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • PostMessageW.USER32(?,?,00000000,?), ref: 072E78F3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost
                                                                                                        • String ID:
                                                                                                        • API String ID: 410705778-0
                                                                                                        • Opcode ID: 37e640c3c6df9d2b0dc25fd7860f1c3abda98a55eb8afdef5eb4c432c42af7ec
                                                                                                        • Instruction ID: 0c21111d96cb36caba8f67b8d94a357a46718707d9b66874c771d3839f07c4d7
                                                                                                        • Opcode Fuzzy Hash: 37e640c3c6df9d2b0dc25fd7860f1c3abda98a55eb8afdef5eb4c432c42af7ec
                                                                                                        • Instruction Fuzzy Hash: 1D3175B8D00258AFCB14CFA9E580A9EFBF4AB59310F24902AE818BB310D735A945CF54
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E26B8 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetWindowTextW.USER32(?,?), ref: 072E2756
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: TextWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 530164218-0
                                                                                                        • Opcode ID: 1e7b32b2669425cba16d17585087b057371b5adca1aad75084045bcee44e8e71
                                                                                                        • Instruction ID: ed4268a12787a849d0ea821c2c14c96318016fd3ae987f54fc2acbdc518ba22a
                                                                                                        • Opcode Fuzzy Hash: 1e7b32b2669425cba16d17585087b057371b5adca1aad75084045bcee44e8e71
                                                                                                        • Instruction Fuzzy Hash: 2A31B9B8C11259DFCB10CFA9D984ADEFBF9BB49310F14806AE858B7210D334AA45CF64
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 072E26B2 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • SetWindowTextW.USER32(?,?), ref: 072E2756
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686496708.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_72e0000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: TextWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 530164218-0
                                                                                                        • Opcode ID: 72132c23ca04935d1d6779dffe9005558d819f61f0375cc16c50210833e13be9
                                                                                                        • Instruction ID: d2cc10f01c0e8baac630bf64a7e391f59bac0b292e1d9231b13bd86975cef6f9
                                                                                                        • Opcode Fuzzy Hash: 72132c23ca04935d1d6779dffe9005558d819f61f0375cc16c50210833e13be9
                                                                                                        • Instruction Fuzzy Hash: 1F31B9B8C11259DFCB10CFA9D984ADEFBF9BB49310F14906AE858B7210D334AA45CF64
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02773DE0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • Module32FirstW.KERNEL32(?,?), ref: 02773E27
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680116502.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2770000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: FirstModule32
                                                                                                        • String ID:
                                                                                                        • API String ID: 3757679902-0
                                                                                                        • Opcode ID: d3b68ba15dcfa2cb558ce617b0698366f245182e25f9c9078ca8d88e7a99ad56
                                                                                                        • Instruction ID: 67e3779c1b272c217963003b33d87b7d3952fd967838696097f793cc32a08453
                                                                                                        • Opcode Fuzzy Hash: d3b68ba15dcfa2cb558ce617b0698366f245182e25f9c9078ca8d88e7a99ad56
                                                                                                        • Instruction Fuzzy Hash: D3212FB5614605AFD314DF29C845AAAF7F8FB88324F10471EB569C3280E770EA14CBA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0320B8D1 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetConsoleWindow.KERNELBASE ref: 0320B948
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680876653.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_3200000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ConsoleWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2863861424-0
                                                                                                        • Opcode ID: 3bf598fe652cd07329343cf33879134e022aef8497ec236a86e16072c2a4c6d3
                                                                                                        • Instruction ID: fcc03f87dbd7bb41754fe4f742433e8f1457e581e629f8f34044f161e33018c6
                                                                                                        • Opcode Fuzzy Hash: 3bf598fe652cd07329343cf33879134e022aef8497ec236a86e16072c2a4c6d3
                                                                                                        • Instruction Fuzzy Hash: 1321DAB4D102488FCB20CFA9D985ADEFBF4EB48320F24942AE418B7340C735A945CFA4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0320B8D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • GetConsoleWindow.KERNELBASE ref: 0320B948
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680876653.0000000003200000.00000040.00000800.00020000.00000000.sdmp, Offset: 03200000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_3200000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ConsoleWindow
                                                                                                        • String ID:
                                                                                                        • API String ID: 2863861424-0
                                                                                                        • Opcode ID: a3ebe4a9605ff7bf2da99411c811ecf548ebdf199f2cbce6970d688fd09c1938
                                                                                                        • Instruction ID: b3b6aeef8d129a6eeae5e7220f2a35ee402825daaab81bc3e554d2a62f99a229
                                                                                                        • Opcode Fuzzy Hash: a3ebe4a9605ff7bf2da99411c811ecf548ebdf199f2cbce6970d688fd09c1938
                                                                                                        • Instruction Fuzzy Hash: BA21B8B4D102588FCB24CFA9D584ADEFBF4EB48320F24942AE419B7240C779A945CFA4
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 093403F8 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: d
                                                                                                        • API String ID: 0-2564639436
                                                                                                        • Opcode ID: ce474a72c24840ea1c32e3b7e72b610442b033408a6a1f69d1b8738717d39460
                                                                                                        • Instruction ID: 2eed107a260212d5830e91b0546d1726db47cf6dd53184a7be6f2ae713ee4d0c
                                                                                                        • Opcode Fuzzy Hash: ce474a72c24840ea1c32e3b7e72b610442b033408a6a1f69d1b8738717d39460
                                                                                                        • Instruction Fuzzy Hash: 49614875A0060A9FCB14CF59C4C09AAF7F6FF88310B51C569DA1A97616EB34F861CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 00678598 Relevance: 1.3, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                        Download Yara Rule
                                                                                                        APIs
                                                                                                        • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 006785C3
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1679039317.000000000066C000.00000040.00000001.01000000.00000003.sdmp, Offset: 0050B000, based on PE: true
                                                                                                        • Associated: 00000000.00000002.1679039317.000000000050B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1679039317.000000000064C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                        • Associated: 00000000.00000002.1679039317.0000000000651000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_400000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: bf32289c335b6b4e0ee618023bb5c01003e5a69e4974d6bf530a2f6d06f2291f
                                                                                                        • Instruction ID: 6285d155f087e35f7876d35aa4382f2d7829f7f72571ba7396c4db09623af08a
                                                                                                        • Opcode Fuzzy Hash: bf32289c335b6b4e0ee618023bb5c01003e5a69e4974d6bf530a2f6d06f2291f
                                                                                                        • Instruction Fuzzy Hash: 0FE0ECB5340108AFEB50CE8CD988B9B37DEA798710F10C011F60DD7340C634EC509765
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09340D60 Relevance: 1.3, Strings: 1, Instructions: 9COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: l62
                                                                                                        • API String ID: 0-3841909328
                                                                                                        • Opcode ID: e2cc03d8c351b492d529022ab4180d34654b57a5eb50e4dcd9aeff84370bb31b
                                                                                                        • Instruction ID: c9df66027dfe078839cdc5dd0124fa33854aede2cdec1f387da10cd0d966d68a
                                                                                                        • Opcode Fuzzy Hash: e2cc03d8c351b492d529022ab4180d34654b57a5eb50e4dcd9aeff84370bb31b
                                                                                                        • Instruction Fuzzy Hash: 79C080FC5005004FD3048B2488549277DF7DBF8701F41C414610045268CD38C450CED0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09346268 Relevance: .5, Instructions: 508COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9f13a4350a21ab775c409da5551df3c3b161f01b5402719b695dbc2f520b63cf
                                                                                                        • Instruction ID: 729ae50dc9de07259dea8240369ab2644e1988080b1d965838c97d9b9699fc5f
                                                                                                        • Opcode Fuzzy Hash: 9f13a4350a21ab775c409da5551df3c3b161f01b5402719b695dbc2f520b63cf
                                                                                                        • Instruction Fuzzy Hash: 9F1246747006058FDB14DF29C499A6ABBF6FF8A304B1684A9E506CB362DB34EC45CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934B901 Relevance: .3, Instructions: 304COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 50fb077088d9a2be23f3f6dd2440b692f63dd943bf1982376ca4db2ec419c325
                                                                                                        • Instruction ID: 140cee5e36576d2939e024d8a53e1f9f7cf497520417463928332bb0c2638321
                                                                                                        • Opcode Fuzzy Hash: 50fb077088d9a2be23f3f6dd2440b692f63dd943bf1982376ca4db2ec419c325
                                                                                                        • Instruction Fuzzy Hash: 79B15B34B012449FCB18DFA8D594BAEBBF6EF89300F2540A9E405AB3A1CB34ED41CB51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934970C Relevance: .2, Instructions: 165COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b9da81cecace52ad1f86636022d41284bcda15b3d867339f1a9e537fed9622c5
                                                                                                        • Instruction ID: 21605bfdb8a9c0c092bda4011eef39abb76408473e13f5aad45cc6723eb03e06
                                                                                                        • Opcode Fuzzy Hash: b9da81cecace52ad1f86636022d41284bcda15b3d867339f1a9e537fed9622c5
                                                                                                        • Instruction Fuzzy Hash: 3F61DDB0D002589FDF24CFA9C885BDEBBF5BF88710F14852AE419AB294DB746885CF41
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09345901 Relevance: .2, Instructions: 162COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0257f5d76c7ab13d7ad2911d95a0b111cee19c3f01296264dcca7ee7f586a364
                                                                                                        • Instruction ID: 0ea2d9a6341d8f4bc9a5b97153808bbacdc06e187abf0b3eb910659e06e1d006
                                                                                                        • Opcode Fuzzy Hash: 0257f5d76c7ab13d7ad2911d95a0b111cee19c3f01296264dcca7ee7f586a364
                                                                                                        • Instruction Fuzzy Hash: 4D515975F002058FCB15DF69C4A06AEB7F6BF88700B158569E905EB355EB30EC418F91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09349718 Relevance: .2, Instructions: 162COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ac455cea30d292699f1032452a8b22dcda4c332bc021936c4ffc7159308cbf41
                                                                                                        • Instruction ID: 7d784be88fa57ae727f98b72fdb5081e7db51255c9839d1bba72859bb9c488fc
                                                                                                        • Opcode Fuzzy Hash: ac455cea30d292699f1032452a8b22dcda4c332bc021936c4ffc7159308cbf41
                                                                                                        • Instruction Fuzzy Hash: A761CEB0D00258DFDF24CFAAC885B9EBBF5BF88710F14852AE419AB254DB746985CF41
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09347DC8 Relevance: .1, Instructions: 147COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bc9067734527edaddba0731bf34f0c1c454f7ccb9c75f0215d23631dab850ce6
                                                                                                        • Instruction ID: dbf86034796c3de2166ee05f58926bc9612862e8e5239d5fb1636463015d79ce
                                                                                                        • Opcode Fuzzy Hash: bc9067734527edaddba0731bf34f0c1c454f7ccb9c75f0215d23631dab850ce6
                                                                                                        • Instruction Fuzzy Hash: A6515E75B002058FCB54DF79D88499ABBF6EF88310B1585AAE506DB362DB30EC45CFA0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934AA68 Relevance: .1, Instructions: 145COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e6f9bc2be9053ffc664c8be939074ab2f4effe012a71e71f699cf297b63f1730
                                                                                                        • Instruction ID: add48d2da35392febd953eca7539d5cb9ad4acacc5aa072ebef667bf992b62be
                                                                                                        • Opcode Fuzzy Hash: e6f9bc2be9053ffc664c8be939074ab2f4effe012a71e71f699cf297b63f1730
                                                                                                        • Instruction Fuzzy Hash: 35519171E402189FDB14DFA9D880AADBBFAEF88310F568069E505EB250DB70BD45CF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934AA57 Relevance: .1, Instructions: 136COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cbf5e9924e72cab4848900872ada291509bacd3839e89923a05067bf5e649bd5
                                                                                                        • Instruction ID: 49a5717cabdfa6abc56f75549da01712fcfd538d6ba40c24d6aaaa10ea94f291
                                                                                                        • Opcode Fuzzy Hash: cbf5e9924e72cab4848900872ada291509bacd3839e89923a05067bf5e649bd5
                                                                                                        • Instruction Fuzzy Hash: 5C51BF71E402148FDB14DFA9D980AADBBF6EF88300F568169E404EB2A1EB70AD45CF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09340390 Relevance: .1, Instructions: 94COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2210c862a7dec94f36eb545217f2734cf8f766413f5feed31e0efd5ef989bdca
                                                                                                        • Instruction ID: 0289fa74026c252bc83972bde5cf62f1756d99e6819918e2d44270144192a9eb
                                                                                                        • Opcode Fuzzy Hash: 2210c862a7dec94f36eb545217f2734cf8f766413f5feed31e0efd5ef989bdca
                                                                                                        • Instruction Fuzzy Hash: 4C318D317092468FCB16DF69C8C08AABFB5EF8532071685A6DA45CB263D734B915CFE0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934A93D Relevance: .1, Instructions: 77COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c8e55a9ac7a89afe14d106acd4fe3dd0f0e3e90770e9bb15979d40919fccad28
                                                                                                        • Instruction ID: 40f399f00c1e3474e78209390c2ad0c2d9f09ae8252ef07d931a49d2e42c3801
                                                                                                        • Opcode Fuzzy Hash: c8e55a9ac7a89afe14d106acd4fe3dd0f0e3e90770e9bb15979d40919fccad28
                                                                                                        • Instruction Fuzzy Hash: 3031E1B1D002889FCF14CFAAC984ADEFFF6AF48310F24802AE415AB251DB756945CF50
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02AAD1FC Relevance: .1, Instructions: 75COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680308856.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2aad000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9cd3ce022d29eb5154f029e283ef5452719be1bd7624d634b5ad57d211b5ca32
                                                                                                        • Instruction ID: a99730108fbae48936e702f0baf053adc77fc0b928a3dd034ab6f76991ff2fcd
                                                                                                        • Opcode Fuzzy Hash: 9cd3ce022d29eb5154f029e283ef5452719be1bd7624d634b5ad57d211b5ca32
                                                                                                        • Instruction Fuzzy Hash: 772142B1500600DFDB01DF14D9C0B2AFFA6FF98324F24C669E9890B606C736D40ACAA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02ABD01C Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680379694.0000000002ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2abd000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c202096c69dbfd8279d8a8ceaac78d8a4ae4a31442bf1b79e96365fd18318658
                                                                                                        • Instruction ID: 2235b38d7455b0043d0a43b25926fd204dfab3e02d8d3a2151d664600fc3c9b0
                                                                                                        • Opcode Fuzzy Hash: c202096c69dbfd8279d8a8ceaac78d8a4ae4a31442bf1b79e96365fd18318658
                                                                                                        • Instruction Fuzzy Hash: 9B21F275604640DFDB16DF14D9C0B66BFA9FF88314F24C96DE90A4B246CB3AD807CA61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02ABD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680379694.0000000002ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2abd000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8a623a71f574350b480101b391cbf93acb9603b7c6946b17dc32c9a8d49d7e93
                                                                                                        • Instruction ID: 6856525bdf8bd8c8bd3a31a8a5204373e6b130eadfebf22231760ecae9649d64
                                                                                                        • Opcode Fuzzy Hash: 8a623a71f574350b480101b391cbf93acb9603b7c6946b17dc32c9a8d49d7e93
                                                                                                        • Instruction Fuzzy Hash: E221F5B1904680EFDB06DF14D5C0B66FBA9FF88314F24C96DE9094B242CB36D406CA61
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934A948 Relevance: .1, Instructions: 72COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cad6fbff9da2ff803890a675250f86157173c95d93fdd916a1274bf53777390d
                                                                                                        • Instruction ID: e669993707982c95e8d00c41c11fa5336ef0d1e233d5950c28f43d3de519e2ed
                                                                                                        • Opcode Fuzzy Hash: cad6fbff9da2ff803890a675250f86157173c95d93fdd916a1274bf53777390d
                                                                                                        • Instruction Fuzzy Hash: 8931EFB1D41288DFDF14CFAAC984ADEFBFAAF48310F24802AE415A7250DB746945CF51
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02ABD007 Relevance: .1, Instructions: 61COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680379694.0000000002ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2abd000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3b91ccdd0e0bc47dcfe87eba1e95a1928d581741a7efa0af9a7888cbed0366f4
                                                                                                        • Instruction ID: 62efdfef6736b13e163787e44a3653f9fa611e206c297c71aae1f17282790c2f
                                                                                                        • Opcode Fuzzy Hash: 3b91ccdd0e0bc47dcfe87eba1e95a1928d581741a7efa0af9a7888cbed0366f4
                                                                                                        • Instruction Fuzzy Hash: FB217C755097808FDB13CF24D9D0B15BF71EF46214F28C5DAD8498B6A7C33A980ACB62
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02AAD1F7 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680308856.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2aad000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d5c054a2c647f04c6f55952d2c20fdcf02f11ae86ff72cdce1308d3a67a120fe
                                                                                                        • Instruction ID: ed125a4d5d992ac60e2fc4197d0bc69e6a8d057c769a20d3cf14d2e4ae3e5622
                                                                                                        • Opcode Fuzzy Hash: d5c054a2c647f04c6f55952d2c20fdcf02f11ae86ff72cdce1308d3a67a120fe
                                                                                                        • Instruction Fuzzy Hash: A111DC76504680CFDB02CF00D9C0B16FF62FF84324F2486A9D8490B616C33AD45ACBA2
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934AF20 Relevance: .1, Instructions: 56COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 41094eb8f90a8060b5fc2b5b47cbad9eebf98f41d82369b6cfc708cb27e2ce6a
                                                                                                        • Instruction ID: bb33c9002c036a015f091fffcdf4fe706374bd6106e8648a4429b981673648cc
                                                                                                        • Opcode Fuzzy Hash: 41094eb8f90a8060b5fc2b5b47cbad9eebf98f41d82369b6cfc708cb27e2ce6a
                                                                                                        • Instruction Fuzzy Hash: CE118F712153418FC712DF39D81651ABFF6BF8521030A899EE556CF621EF64EC098B91
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02ABD1CF Relevance: .1, Instructions: 53COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680379694.0000000002ABD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ABD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2abd000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 66acd227d781d23631b327d54d2df17259f70c74367a6e8810765f60c0a1360c
                                                                                                        • Instruction ID: b318fc78232d227148b3471197cdddf54e833b9549f588fc9a7251d83095dc73
                                                                                                        • Opcode Fuzzy Hash: 66acd227d781d23631b327d54d2df17259f70c74367a6e8810765f60c0a1360c
                                                                                                        • Instruction Fuzzy Hash: DE11B875904680DFDB12CF10C5C0B15FFA2FF84218F28C6AAD8494B696C33AD80ACB62
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09349D80 Relevance: .0, Instructions: 50COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 9f72c69c77a14d6ebcfc9b8f116204d6b420f5a3f190bce2a41aeecdd0ec58f1
                                                                                                        • Instruction ID: 19228229b68222b3679c1c0e44f996231334b632b636d854969cb3d2765344d4
                                                                                                        • Opcode Fuzzy Hash: 9f72c69c77a14d6ebcfc9b8f116204d6b420f5a3f190bce2a41aeecdd0ec58f1
                                                                                                        • Instruction Fuzzy Hash: 44017C71B002199BCF10DAA9EC44BAFB7AAEBC4711F14803AE615D3240DB71A9158BA1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934B878 Relevance: .0, Instructions: 48COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: df3b4c0404ded6ff6b13652faad60e32c1da2faa60a4af096ae15dd49c95268e
                                                                                                        • Instruction ID: 6e7ae22549c8b537b840161d46677df5a027e20d1ccf62454165ddddff6bba87
                                                                                                        • Opcode Fuzzy Hash: df3b4c0404ded6ff6b13652faad60e32c1da2faa60a4af096ae15dd49c95268e
                                                                                                        • Instruction Fuzzy Hash: B501AD31700A518FC715DF3AD954A2ABBF6AF8961070980A9E10ACB672DA34EC05CB11
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02AAD01D Relevance: .0, Instructions: 45COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680308856.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2aad000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5512268c424965d7d71dce51580d3478cf7481fd3237173913521a500228b942
                                                                                                        • Instruction ID: 417a1eff993df23d6e215af28c29c89c316aaf5c0714ef1ec3425081a982a690
                                                                                                        • Opcode Fuzzy Hash: 5512268c424965d7d71dce51580d3478cf7481fd3237173913521a500228b942
                                                                                                        • Instruction Fuzzy Hash: DD01DB71404B409EE7208B26CCD5B77FFA8EF41724F18C529ED8A5F542C7799941C6B1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02AAD007 Relevance: .0, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680308856.0000000002AAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AAD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2aad000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cae1def2e221223925b9cfda4acd184dfa590fbc29caa6ed82fe0e4703b30990
                                                                                                        • Instruction ID: 721c90f6d0d218eecce787e2f4b132fc0c3e44a9910379315bcdb8f19d4a2e10
                                                                                                        • Opcode Fuzzy Hash: cae1def2e221223925b9cfda4acd184dfa590fbc29caa6ed82fe0e4703b30990
                                                                                                        • Instruction Fuzzy Hash: 8F015E6100E7C09ED7128B258894B66BFB4EF53224F1981DBE9C98F5A3C3695849C772
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934B888 Relevance: .0, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 33fb227ac7468fd9f5d8a27546b073138c520938131bac253c51c124e8a4f1af
                                                                                                        • Instruction ID: ad292c2a2cc376addbf7625129df5b4291a4229fbb77db62f745a92fb1c4558d
                                                                                                        • Opcode Fuzzy Hash: 33fb227ac7468fd9f5d8a27546b073138c520938131bac253c51c124e8a4f1af
                                                                                                        • Instruction Fuzzy Hash: CD017C31700A408FC718DF3AD944A2ABBE6EFC8610B198479E11ACB761CA34EC05CB41
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934AF48 Relevance: .0, Instructions: 44COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a12bd85ef300a9a2f56f9eeff700773aaa67d7cfdae44262058e07ed6ae0276f
                                                                                                        • Instruction ID: 0bdd5e89e0cd185a5e279872cac1a5c046e1eb7b93be7d27b9598e9daaad6aa9
                                                                                                        • Opcode Fuzzy Hash: a12bd85ef300a9a2f56f9eeff700773aaa67d7cfdae44262058e07ed6ae0276f
                                                                                                        • Instruction Fuzzy Hash: ED0116713506008F8721EF3AD84596ABBEAFF8861031589AAE556CB720EF61EC058B90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09346E51 Relevance: .0, Instructions: 43COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ff34d0839bc133016991ee9d51fa5f2c2d8213baeabc017c215c66d82c124617
                                                                                                        • Instruction ID: aeda72cef1a94ed94225430c297bf20e4566ae1d126b12a9f75b76b398a203aa
                                                                                                        • Opcode Fuzzy Hash: ff34d0839bc133016991ee9d51fa5f2c2d8213baeabc017c215c66d82c124617
                                                                                                        • Instruction Fuzzy Hash: A6016D75304240AFD7158B29D895C6BBBFAEFC9760705C459F9498B312CA30DC0187A0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0934BC40 Relevance: .0, Instructions: 42COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2f62355504c13fc959c8071a61ceede9d2e7c772c8e92f6be2d8fa7c618620bb
                                                                                                        • Instruction ID: cae8589cac14d1b62b133bdac466401784a62fd222a7edd1a6dfb9d9d8037332
                                                                                                        • Opcode Fuzzy Hash: 2f62355504c13fc959c8071a61ceede9d2e7c772c8e92f6be2d8fa7c618620bb
                                                                                                        • Instruction Fuzzy Hash: 81010474D452189FCB04DFAAC4497BEFBF4EB4A302F0484AAE459A3291DB789A44DF14
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09346E60 Relevance: .0, Instructions: 35COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 340f5078382b8349bd9d64665288ecf09504685cf74c12fb5936ab7dbcb3591d
                                                                                                        • Instruction ID: 18ab74cd3afab5a214602727880d513140c0f179804156153811b8e50aa80605
                                                                                                        • Opcode Fuzzy Hash: 340f5078382b8349bd9d64665288ecf09504685cf74c12fb5936ab7dbcb3591d
                                                                                                        • Instruction Fuzzy Hash: 4EF0FEB5300114ABDB14DB5AD994D6BBBEAEFC8760B14C429F94D8B345CA30EC0196E0
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 093407FF Relevance: .0, Instructions: 15COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2dad9890b242de6911aa77f4d0e782b1e3987182808a7bc5eeda5c7bdbd2ded5
                                                                                                        • Instruction ID: 659756b69e7d7792d3171d7e45cd2a84866409b8baf3f78a7905476163fc0712
                                                                                                        • Opcode Fuzzy Hash: 2dad9890b242de6911aa77f4d0e782b1e3987182808a7bc5eeda5c7bdbd2ded5
                                                                                                        • Instruction Fuzzy Hash: 71D0125924D1E00FDA03927450326D23FA0CB8721072955C7E0848F193C0188E4E8FD6
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 093450E0 Relevance: .0, Instructions: 10COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4f9d0bc6554108ae75dbaf9bdd27bac1b07154cab328f8febafdd680a68ef4ad
                                                                                                        • Instruction ID: 1f2589036e07b15c68d5d0735e5698290f862a162cd9472e5a5ecf004083a783
                                                                                                        • Opcode Fuzzy Hash: 4f9d0bc6554108ae75dbaf9bdd27bac1b07154cab328f8febafdd680a68ef4ad
                                                                                                        • Instruction Fuzzy Hash: 03C0127154C3C07FC7028B714C16D16BF716B52700F06C0DFB2968D0A3D2A14010DB12
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 09340838 Relevance: .0, Instructions: 7COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1d60ebe8250d36da0724b575b1541e5a5e2af5b564167e027180e948783118b4
                                                                                                        • Instruction ID: 995c6ea1f865f1b8222c24883c6c74e303a139667d72a81ee8e084a35e73624c
                                                                                                        • Opcode Fuzzy Hash: 1d60ebe8250d36da0724b575b1541e5a5e2af5b564167e027180e948783118b4
                                                                                                        • Instruction Fuzzy Hash: D6B0123000124F4FC54067B7F40D705371CD640704B808931B00D0901279682C824A97
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Non-executed Functions

                                                                                                        Function 093489B8 Relevance: 2.0, Strings: 1, Instructions: 780COMMON
                                                                                                        Download Yara Rule
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1686959407.0000000009340000.00000040.00000800.00020000.00000000.sdmp, Offset: 09340000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_9340000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ":R
                                                                                                        • API String ID: 0-4090650525
                                                                                                        • Opcode ID: 57a1341a352a48c2105f5f8ec40ca779708e226f90031697083735852a09feab
                                                                                                        • Instruction ID: eb0f0f33ec0f6a4023c6913794a285d9a57c51cceb327c10c4a30bee0a69cab1
                                                                                                        • Opcode Fuzzy Hash: 57a1341a352a48c2105f5f8ec40ca779708e226f90031697083735852a09feab
                                                                                                        • Instruction Fuzzy Hash: 07623FB06002009BDB88DF69D55475A7AD6EF88308F24C99CD1098F396DFBAD94B8FD1
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 056970A8 Relevance: .3, Instructions: 318COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 49e9f7bdcbd4e892a94c363296e9d8dbda7e82ce342bf3a76f5e8cc71c18c4f2
                                                                                                        • Instruction ID: 057e44842e7be32ec1c081d6c46342a33e0a0d78c062b321159ffd169b61c87b
                                                                                                        • Opcode Fuzzy Hash: 49e9f7bdcbd4e892a94c363296e9d8dbda7e82ce342bf3a76f5e8cc71c18c4f2
                                                                                                        • Instruction Fuzzy Hash: 9D12AAF04227458AD712CF25E94E1893F71BF85314B92421AE2612F2D1EFBC166EEF84
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 0569509C Relevance: .3, Instructions: 264COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4961c4906bfb4972d73773ed51422b553178cc9f0d63eeb533669685bad00f93
                                                                                                        • Instruction ID: d8c7f5a8b5bdc0ab30562c13d5d121cb6a17db2afe8cfb33a3d8dac129fb9e85
                                                                                                        • Opcode Fuzzy Hash: 4961c4906bfb4972d73773ed51422b553178cc9f0d63eeb533669685bad00f93
                                                                                                        • Instruction Fuzzy Hash: 01A17236E103058FCF09DFB5C84459EBBB6FF85300B15856AE806AF211DB75E956CB40
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 05697098 Relevance: .2, Instructions: 225COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 76d05095d1ef21c3d72b22c7b6ebb9994773d7c24d1807b22c61adbe9dd30554
                                                                                                        • Instruction ID: 6623bc283434ba970bd00166cb5d03ba2a507591fe79733eec21b44fdfb38a58
                                                                                                        • Opcode Fuzzy Hash: 76d05095d1ef21c3d72b22c7b6ebb9994773d7c24d1807b22c61adbe9dd30554
                                                                                                        • Instruction Fuzzy Hash: 74C118B08217458AD716CF25E84A1897FB1FF85314F52421AE2612F2D0EFBC166EEF84
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 02774448 Relevance: .1, Instructions: 136COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1680116502.0000000002770000.00000040.00001000.00020000.00000000.sdmp, Offset: 02770000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2770000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 597c0d950d7a1baf72706a893799aa2982191e77cec4ca749b12db36279116a7
                                                                                                        • Instruction ID: a28f87f4b21d27a98a56b4b2432d1efcf76b9282c5408ef3a89a565e4a3e0a38
                                                                                                        • Opcode Fuzzy Hash: 597c0d950d7a1baf72706a893799aa2982191e77cec4ca749b12db36279116a7
                                                                                                        • Instruction Fuzzy Hash: 27518779A00701CFC765CF69C580A86BBF4FF08720711566AE99AD7755E730E941CF90
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 05698254 Relevance: .1, Instructions: 88COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a7a26ba40f5f908f84332f2c276783a83b06fb2b91bbbdbba896646b5b3e763a
                                                                                                        • Instruction ID: 0ccce73f05e1c03f23d5207546e5e86ed22624f41e3bac5999c5d7f1fe624d8a
                                                                                                        • Opcode Fuzzy Hash: a7a26ba40f5f908f84332f2c276783a83b06fb2b91bbbdbba896646b5b3e763a
                                                                                                        • Instruction Fuzzy Hash: 9E3187B4D052589FCF14CFA9D984A9EFBF5AB49320F24906AE819B7310D334A945CF94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%

                                                                                                        Function 05699ED9 Relevance: .1, Instructions: 87COMMON
                                                                                                        Download Yara Rule
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1685763138.0000000005690000.00000040.00000800.00020000.00000000.sdmp, Offset: 05690000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_5690000_CswRsjV3kH.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1686bc1ebc06dae2899bd4ca90c0eb44eae2b2403e5cc910ba79db2125fed0c6
                                                                                                        • Instruction ID: c8fd3505df11014a71df16c77ae534bc3895656b537829c253a6312489bd9e8b
                                                                                                        • Opcode Fuzzy Hash: 1686bc1ebc06dae2899bd4ca90c0eb44eae2b2403e5cc910ba79db2125fed0c6
                                                                                                        • Instruction Fuzzy Hash: 1131A8B5D052489FCF14CFA9E984A9EFBF5BB49310F24902AE818B7310D334A945CF94
                                                                                                        Uniqueness

                                                                                                        Uniqueness Score: -1.00%